Kerberoasting
What is Kerberoasting?
KerberoastingAn offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.
Kerberoasting, first described by Tim Medin at DerbyCon 2014, abuses a core property of Kerberos: any authenticated domain user can request a service ticket (TGS-REP) for any Service Principal Name (SPN), and part of that ticket is encrypted with the service account's NTLM password hash. The attacker never touches the target service — they enumerate SPNs (via LDAP, setspn, Rubeus, or Impacket's GetUserSPNs), request the tickets, export the encrypted blobs, and crack them offline with Hashcat (mode 13100) or John the Ripper. No elevated rights and no lockouts are involved, so service accounts with weak, non-rotated passwords often fall in hours.
The risk is highest with legacy RC4-HMAC (etype 23) tickets, which crack far faster than AES; attackers frequently downgrade requests to RC4 on purpose. MITRE ATT&CK tracks this as T1558.003. It is a favourite of ransomware affiliates and was central to widely reported Active Directory compromises because service accounts are commonly over-privileged. Defences: use 25+ character random passwords or group Managed Service Accounts (gMSA/dMSA) with automatic rotation, enforce AES encryption types, remove unnecessary SPNs from privileged accounts, deploy honeypot SPNs, and alert on Event ID 4769 showing bulk RC4 ticket requests.
flowchart TD A[Low-priv domain user] -->|"1. Enumerate SPNs via LDAP"| B[Active Directory] A -->|"2. Request TGS for SPN (force RC4)"| C[KDC / Domain Controller] C -->|"3. TGS-REP encrypted with<br/>service account hash"| A A -->|"4. Export ticket"| D[Offline cracking<br/>Hashcat mode 13100] D -->|"5. Weak password recovered"| E[Service account compromise<br/>→ lateral movement / DA]
● Examples
- 01
Running Rubeus kerberoast on a low-privileged user to harvest TGS tickets, then cracking them with Hashcat.
- 02
Discovering that a Domain Admin has an SPN with a weak password, then escalating to domain compromise.
● Frequently asked questions
What is Kerberoasting?
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords. It belongs to the Attacks & Threats category of cybersecurity.
What does Kerberoasting mean?
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.
How do you defend against Kerberoasting?
Defences for Kerberoasting typically combine technical controls and operational practices, as detailed in the full definition above.