{"id":13845633,"url":"https://github.com/ShutdownRepo/targetedKerberoast","last_synced_at":"2025-07-12T03:31:22.057Z","repository":{"id":41318188,"uuid":"392083248","full_name":"ShutdownRepo/targetedKerberoast","owner":"ShutdownRepo","description":"Kerberoast with ACL abuse capabilities","archived":false,"fork":false,"pushed_at":"2024-10-27T20:57:32.000Z","size":237,"stargazers_count":344,"open_issues_count":0,"forks_count":49,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-11-12T17:52:37.731Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ShutdownRepo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":null,"patreon":"nwodtuhs","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2021-08-02T20:19:35.000Z","updated_at":"2024-11-12T03:05:58.000Z","dependencies_parsed_at":"2022-08-10T01:54:11.445Z","dependency_job_id":"44943783-79ac-486a-bfcf-907cd14be1ce","html_url":"https://github.com/ShutdownRepo/targetedKerberoast","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShutdownRepo%2FtargetedKerberoast","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShutdownRepo%2FtargetedKerberoast/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShutdownRepo%2FtargetedKerberoast/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShutdownRepo%2FtargetedKerberoast/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ShutdownRepo","download_url":"https://codeload.github.com/ShutdownRepo/targetedKerberoast/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225791368,"owners_count":17524771,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:03:31.092Z","updated_at":"2025-07-12T03:31:22.049Z","avatar_url":"https://github.com/ShutdownRepo.png","language":"Python","funding_links":["https://patreon.com/nwodtuhs"],"categories":["Python"],"sub_categories":[],"readme":"# targetedKerberoast\n\ntargetedKerberoast is a Python script that can, like many others (e.g. [GetUserSPNs.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py)), print \"kerberoast\" hashes for user accounts that have a SPN set. \nThis tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the `servicePrincipalName` attribute), print the \"kerberoast\" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting.\nThis tool can be used against all users of a domain, or supplied in a list, or one user supplied in the CLI.\n\nMore information about this attack\n - [The Hacker Recipes - Kerberoast](https://www.thehacker.recipes/ad/movement/kerberos/kerberoast)\n - [The Hacker Recipes - Targeted Kerberoasting](https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting)\n\n# Usage\n\nThis tool supports the following authentications\n - (NTLM) Cleartext password\n - (NTLM) [Pass-the-hash](https://www.thehacker.recipes/active-directory-domain-services/movement/lm-and-ntlm/pass-the-hash)\n - (Kerberos) Cleartext password\n - (Kerberos) [Pass-the-key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) / [Overpass-the-hash](https://www.thehacker.recipes/ad/movement/kerberos/opth)\n - (Kerberos) [Pass-the-cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc) (type of [Pass-the-ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt))\n\nAmong other things, targetedKerberoast supports multi-level verbosity, just append `-v`, `-vv`, ... to the command :)\n\n```\nusage: targetedKerberoast.py [-h] [-v] [-q] [-D TARGET_DOMAIN] [-U USERS_FILE] [--request-user username] [-o OUTPUT_FILE] [--use-ldaps] [--only-abuse] [--no-abuse] [--dc-ip ip address] [-d DOMAIN] [-u USER]\n                             [-k] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key]\n\nQueries target domain for SPNs that are running under a user account and operate targeted Kerberoasting\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -v, --verbose         verbosity level (-v for verbose, -vv for debug)\n  -q, --quiet           show no information at all\n  -D TARGET_DOMAIN, --target-domain TARGET_DOMAIN\n                        Domain to query/request if different than the domain of the user. Allows for Kerberoasting across trusts.\n  -U USERS_FILE, --users-file USERS_FILE\n                        File with user per line to test\n  --request-user username\n                        Requests TGS for the SPN associated to the user specified (just the username, no domain needed)\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        Output filename to write ciphers in JtR/hashcat format\n  -f {hashcat,john}, --output-format {hashcat,john}\n                        Output format (default is \"hashcat\", \"john\" prepends usernames)\n  --use-ldaps           Use LDAPS instead of LDAP\n  --only-abuse          Ignore accounts that already have an SPN and focus on targeted Kerberoasting\n  --no-abuse            Don't attempt targeted Kerberoasting\n\nauthentication \u0026 connection:\n  --dc-ip ip address    IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter\n  -d DOMAIN, --domain DOMAIN\n                        (FQDN) domain to authenticate to\n  -u USER, --user USER  user to authenticate with\n\nsecrets:\n  -k, --kerberos        Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the\n                        command line\n  --no-pass             don't ask for password (useful for -k)\n  -p PASSWORD, --password PASSWORD\n                        password to authenticate with\n  -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH\n                        NT/LM hashes, format is LMhash:NThash\n  --aes-key hex key     AES key to use for Kerberos Authentication (128 or 256 bits)\n```\n\nBelow is an example what the tool can do.\n\n![](./.assets/example.png)\n\n# Credits and references\n\nCredits to the whole team behind [Impacket](https://github.com/SecureAuthCorp/impacket/) and its contributors.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FShutdownRepo%2FtargetedKerberoast","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FShutdownRepo%2FtargetedKerberoast","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FShutdownRepo%2FtargetedKerberoast/lists"}