Active Directory · Learn

Kerberoasting explained simply.

Kerberoasting lets any ordinary domain user request an encrypted ticket for a service account and then crack its password offline, with no special privileges and almost no noise. Here is how the attack works and why weak service-account passwords make it so dangerous.

Active Directory · LearnAll services
TL;DR

Kerberoasting is an Active Directory attack where a normal authenticated user requests a Kerberos service ticket (TGS) for any account that has a Service Principal Name (SPN). Part of that ticket is encrypted with the service account’s password hash, so the attacker takes it offline and brute-forces the password with tools like Hashcat. It needs no elevated rights and triggers no failed-logon alarms, which is why service accounts with weak, non-expiring passwords are one of the most reliable footholds toward Domain Admin.

By John Dill, Red Team Lead, SecureLayer7Updated

How the attack works

Kerberos was built so that the ticket for a service is encrypted with that service account’s password. That design detail is the whole vulnerability.

1. Any authenticated user asks the Domain Controller for a service ticket (TGS) for a target service, identified by its SPN. The DC hands it over because requesting tickets is a normal, allowed action. 2. Part of the returned ticket is encrypted with the service account’s NTLM hash, often using the weak RC4 algorithm. 3. The attacker takes the ticket offline and runs a password-cracking tool against it. If the service account’s password is guessable, it falls.

Tools such as Rubeus and Impacket’s GetUserSPNs automate the request, and Hashcat does the cracking, entirely off the network.

Why it is so effective

Three things make Kerberoasting a favourite:

  • No privileges required. Any single domain account can request the tickets. One phished user is enough.
  • It is quiet. The ticket request is normal Kerberos traffic and the cracking happens offline, so there are no failed logons or lockouts to alert on.
  • Service accounts are weak. They often have passwords set years ago by a human, never rotated, and the account is frequently a member of a privileged group so it can do its job. A cracked service-account password can hand over high privileges directly.

What attackers look for

Not every SPN is worth cracking. Attackers prioritise:

  • Accounts that are members of privileged groups (a kerberoastable Domain Admin is the jackpot).
  • Accounts with old passwords (the pwdLastSet date gives it away).
  • Accounts that still accept RC4 encryption, which cracks far faster than AES.

BloodHound flags kerberoastable accounts and shows which ones have a path to high privilege, so the attacker spends cracking time only where it pays.

How to defend against it

You cannot turn Kerberos off, but you can make Kerberoasting fail:

  • Use Group Managed Service Accounts (gMSAs), where Windows manages a long, random, auto-rotating password no human can guess.
  • For any remaining service account, set a long passphrase (25+ characters) so offline cracking is infeasible.
  • Do not put service accounts in Domain Admins. Grant the minimum rights the service needs.
  • Disable RC4 for Kerberos where you can, forcing the stronger AES encryption.
  • Monitor for a single account requesting many service tickets in a short window.

References

  1. [1]Microsoft: Kerberos Authentication Overview(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.