NTLM Kerberos bcrypt Wallets File Recovery Database Hashes WiFi Cracking Disk Encryption About Get Started
ENES中文RU
HashCrack → Kerberos Hash Cracking

Kerberos Hash Cracking Service

Crack Kerberoast TGS-REP and AS-REP roasting tickets. All encryption types: RC4, AES-128, AES-256. Modes 13100, 18200, 19600, 19700, 19800, 19900.

Submit Kerberos Hash →

What Is Kerberoasting?

Kerberoasting is an Active Directory attack where an authenticated domain user requests TGS tickets for service accounts. These tickets are encrypted with the service account's password hash, allowing offline cracking without triggering lockouts.

Tools like Rubeus, GetUserSPNs.py (Impacket), and Invoke-Kerberoast extract these tickets for hashcat.

All Kerberos Hash Types We Crack

Kerberoasting — TGS-REP Tickets

TGS-REP RC4-HMAC (etype 23) — Mode 13100

Most common and fastest. RC4-encrypted tickets use the NTLM hash as the key. Speed comparable to raw NTLM.

TGS-REP AES-128 (etype 17) — Mode 19600

PBKDF2 (4096 iterations), significantly slower than RC4. Found in environments that disabled RC4.

TGS-REP AES-256 (etype 18) — Mode 19700

Same PBKDF2 (4096 iterations) as AES-128 with larger key. Strongest Kerberos encryption, ~1000x slower than RC4.

AS-REP Roasting

Targets accounts with "Do not require Kerberos preauthentication." Tools: GetNPUsers.py, Rubeus asreproast.

AS-REP RC4 (etype 23) — Mode 18200

Most common AS-REP hash. Same speed as TGS-REP RC4.

AS-REP AES-128/256 — Modes 19800/19900

Slower AES variants. When DC enforces AES-only authentication.

Quick Reference

AttackEncryptionModeSpeed
TGS-REPRC4 (etype 23)13100Fast
TGS-REPAES-128 (etype 17)19600Medium
TGS-REPAES-256 (etype 18)19700Medium
AS-REPRC4 (etype 23)18200Fast
AS-REPAES-128/25619800/19900Medium

Our Kerberos Cracking Pipeline

  1. Targeted wordlists — Service-specific passwords, company-name variants, seasonal patterns
  2. Rule-based mutations — Comprehensive rules covering corporate password policies
  3. Mask attacks — Common patterns like Svc_[name][year]!
  4. Full dictionary + rules — Complete wordlist library with extended rule sets

Pricing

All Kerberos types: from $150 per hash. Bulk pricing available. No result = no charge.

FAQ

What's the success rate?
For RC4: very high, similar to NTLM. For AES: lower due to cost, but service accounts often have weak passwords.
RC4 vs AES — difference for cracking?
RC4 is ~1000x faster. AES uses PBKDF2 with 4096 iterations. AES-128 and AES-256 have similar cracking speed.
Can you crack AS-REP hashes?
Yes — all three variants: RC4 (18200), AES-128 (19800), AES-256 (19900).
What tools extract Kerberos tickets?
Kerberoasting: Rubeus, GetUserSPNs.py, Invoke-Kerberoast. AS-REP: Rubeus asreproast, GetNPUsers.py.

Related Services

NTLM Hash Cracking →
Active Directory NTLM, NetNTLMv2, DCC2
bcrypt / Web Hash Cracking →
WordPress, bcrypt, phpass, OpenCart
Crypto Wallet Recovery →
MetaMask, Bitcoin, Ethereum wallets

Have Kerberos Tickets
That Need Cracking?

Send your TGS-REP hash. Free assessment within hours.

@HashCrackNet contact@hashcrack.net