Kerberoasting is where a service ticket is used to brute force a service password. This password can then be used to either move laterally or (if the service runs with elevated privileges) to elevate your privileges. Note that not every account is kerberoastable; the Kali Linux tool Bloodhound can be used to identify potentially kerberoastable accounts.
Impacket
Kerberoasting with Impacket
Impacket can identify kerberoastable accounts and dump packets remotely. It comes standard with Kali Linux.
The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).
Link to original
Rubeus
Kerberoasting with Rubeus
The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).
Link to original
Invoke-Kerberoast
The Invoke-Kerberoast
PowerShell module can be used to create a dump of service tickets that can then be attacked offline using Hashcat or John the Ripper. (Note that calling Out-File with the -Width 8000
option is important in the below example, as otherwise the ticket can be truncated!)
Defenses
The main defenses against kerberoasting are (1) strong passwords and (2) making sure you’re not running any services as domain admin (which you shouldn’t need to do in this day and age anyway).