Kerberoasting
Kerberoasting is a workflow: identify the right SPN, request the ticket, crack offline, and prove the credential works.
The drill provides simulated LDAP and KDC endpoints on loopback. Enumerate enabled SPN accounts, avoid disabled decoys, roast the useful service, and authenticate to the protected share.
Variants change the service account, SPN, password, and directory noise while preserving the same atomic Kerberoasting technique.
How the attack works
- Enumerate accounts with a Service Principal Name set — the roastable ones.
- Request a service ticket for the useful SPN and extract its encrypted blob.
- Crack the ticket hash offline against the wordlist to recover the service password.
hashcat -m 13100 ticket.hash wordlist.txt - Authenticate with the recovered credential to reach the protected resource.
On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.
What you'll practice
Sourced from
Kerberoasting
Kerberoasting is a workflow: identify the right SPN, request the ticket, crack offline, and prove the credential works.
Recover the flag at /root/flag.txt and submit it.
Drill this now
Spin up a live isolated target and start practicing in seconds — free.