Accounts with SPNs can have their service tickets requested by any authenticated user. The ticket is encrypted with the account's password hash — crack it offline to get the password.
| Username | SPN | Hash (crack this) | Status |
|---|---|---|---|
| john.smith | HTTP/webserver.corp.local | b56e0b4ea4962283bee762525c2d490f | Kerberoastable |
| svc_sql | MSSQLSvc/sqlserver.corp.local:1433 | f5603806582528dcbd85c58ff552cd6c | Kerberoastable |
| svc_iis | HTTP/iisserver.corp.local | d1a1674cc2138e76e4477654e1e7c1e6 | Kerberoastable |
In a real attack: use Impacket GetUserSPNs.py or Rubeus to request tickets,
then crack the hash with Hashcat: hashcat -m 13100 hash.txt wordlist.txt