Kerberoasting
What is Kerberoasting?
KerberoastingAn offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.
Kerberoasting abuses the fact that any authenticated domain user can request a TGS for any service principal (SPN) and that the ticket is encrypted with the service account's password hash. An attacker enumerates SPNs, requests TGS tickets (commonly with Rubeus or Impacket's GetUserSPNs), exports them, and cracks them offline using Hashcat or John the Ripper. Service accounts with weak, non-rotated passwords frequently fall in hours. MITRE ATT&CK records the technique as T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting). Defences include long random passwords or gMSA for service accounts, AES-only Kerberos, restricting SPNs on privileged accounts, and alerting on bulk TGS requests with RC4 encryption.
● Examples
- 01
Running Rubeus kerberoast on a low-privileged user to harvest TGS tickets, then cracking them with Hashcat.
- 02
Discovering that a Domain Admin has an SPN with a weak password, then escalating to domain compromise.
● Frequently asked questions
What is Kerberoasting?
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords. It belongs to the Attacks & Threats category of cybersecurity.
What does Kerberoasting mean?
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.
How does Kerberoasting work?
Kerberoasting abuses the fact that any authenticated domain user can request a TGS for any service principal (SPN) and that the ticket is encrypted with the service account's password hash. An attacker enumerates SPNs, requests TGS tickets (commonly with Rubeus or Impacket's GetUserSPNs), exports them, and cracks them offline using Hashcat or John the Ripper. Service accounts with weak, non-rotated passwords frequently fall in hours. MITRE ATT&CK records the technique as T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting). Defences include long random passwords or gMSA for service accounts, AES-only Kerberos, restricting SPNs on privileged accounts, and alerting on bulk TGS requests with RC4 encryption.
How do you defend against Kerberoasting?
Defences for Kerberoasting typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 584
Kerberos
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- identity-access№ 1011
Service Account
A non-human identity used by an application, script, or service to authenticate to other systems, typically without interactive login.
- attacks№ 1045
Silver Ticket
A forged Kerberos service ticket (TGS) created with the password hash of a target service account, granting silent access to that one service.
- defense-ops№ 467
Hashcat
An open-source, GPU-accelerated password-recovery tool that cracks hundreds of hash and authentication algorithms using dictionary, rule, mask, and hybrid attacks.
- defense-ops№ 229
Credential Access
The MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets.
● See also
- № 107BloodHound
- № 682Mimikatz
- № 487Honeyuser