Kerberoasting is a post-exploitation attack where an authenticated domain user requests Ticket Granting Service (TGS) tickets for service principal names (SPNs) and extracts the encrypted portions for offline cracking. The attacker leverages the fact that any domain user can request a TGS for any service account, and the ticket is encrypted with the service account's NTLM hash.
Glossary
Kerberoasting

What is Kerberoasting?
Kerberoasting is an attack technique that exploits the Kerberos authentication protocol to extract password hashes for Active Directory service accounts, enabling offline brute-force cracking.
Once the TGS ticket is captured, the attacker performs an offline brute-force attack against the encrypted material to recover the plaintext password. Service accounts often have elevated privileges and weak, rarely rotated passwords, making Kerberoasting a high-impact lateral movement vector in Active Directory environments.
Key Characteristics of Kerberoasting
Kerberoasting exploits the Kerberos authentication protocol to extract crackable password hashes for service accounts, enabling lateral movement and privilege escalation.
Offline Brute-Force Cracking
The core advantage of Kerberoasting is that the attack shifts password cracking offline. The attacker requests a Ticket Granting Service (TGS) ticket for a target Service Principal Name (SPN). The encrypted portion of this ticket is encrypted with the service account's NTLM hash. Once extracted from memory, the attacker can attempt to crack this hash using tools like Hashcat or John the Ripper without generating network traffic or triggering account lockout policies. This makes detection significantly harder compared to online brute-force attacks.
Service Account Targeting
Kerberoasting specifically targets service accounts registered with a Service Principal Name (SPN) in Active Directory. These accounts are high-value targets because:
- They often have elevated privileges to run critical services.
- They frequently have weak or never-expiring passwords due to operational constraints.
- Password changes can cause service outages, making administrators reluctant to rotate them. Any authenticated domain user can request a TGS ticket for any SPN, making this a low-barrier attack.
Encryption Type Weakness
The crackability of a Kerberoasted ticket depends heavily on the encryption type used. The weakest is RC4-HMAC, which derives the encryption key directly from the account's NTLM hash, making it trivially crackable. Stronger types like AES-256-CTS-HMAC-SHA1-96 use PBKDF2 with salt, significantly increasing cracking difficulty. Attackers can often request a ticket specifying a weaker encryption type if the domain controller does not enforce AES, downgrading the security. Defenders must enforce AES encryption for all service accounts.
Detection and Mitigation
Detecting Kerberoasting requires monitoring for Kerberos TGS-REQ events (Event ID 4769) with specific characteristics:
- Requests using RC4 encryption (Ticket Encryption Type 0x17).
- A high volume of TGS requests from a single user account in a short period.
- Requests for service accounts with noisy or abnormal access patterns. Mitigation involves enforcing AES-only encryption, implementing Managed Service Accounts (MSAs) with automatic password rotation, and using Group Managed Service Accounts (gMSAs) for clustered services to eliminate static passwords entirely.
Tooling and Exploitation
Common tools used for Kerberoasting include:
- Impacket's GetUserSPNs.py: Requests TGS tickets for all user accounts with SPNs from a domain controller.
- Rubeus: A C# toolset that can perform Kerberoasting directly from a compromised Windows host, including advanced features like
kerberoastwith hashcat formatting. - PowerShell: Using
Invoke-Kerberoastfrom the Empire framework. Extracted hashes are saved in formats compatible with Hashcat mode 13100 (Kerberos 5 TGS-REP etype 23) for cracking.
Golden Ticket vs. Kerberoasting
Kerberoasting is distinct from a Golden Ticket attack. A Golden Ticket forges a Ticket Granting Ticket (TGT) by compromising the KRBTGT account hash, granting domain-wide persistence. Kerberoasting is a stealthier, lower-privilege attack that extracts crackable material from legitimate TGS tickets. While a Golden Ticket requires domain admin-level access to the KRBTGT hash, Kerberoasting only requires authenticated domain user access, making it a common initial lateral movement technique after gaining a foothold.
Kerberoasting vs. Other Kerberos Attacks
Differential analysis of Kerberoasting against related Kerberos protocol exploitation techniques, highlighting the distinct prerequisites, execution methods, and defensive mitigations for each attack class.
| Feature | Kerberoasting | Pass-the-Hash (PtH) | Pass-the-Ticket (PtT) |
|---|---|---|---|
Target Credential Type | Service account plaintext password | NTLM hash of user account | Kerberos TGT or TGS ticket |
Requires Domain Admin Privileges | |||
Requires Valid Domain User Context | |||
Attack Execution Mode | Offline brute-force cracking | Credential replay for lateral movement | Ticket reuse for lateral movement |
Leverages Service Principal Name (SPN) | |||
Extracted Artifact | Encrypted TGS ticket (TGS-REP) | NTLM hash from LSASS or SAM | Kerberos ticket from LSASS memory |
Primary Mitigation | Strong service account passwords (>25 chars) and Managed Service Accounts | Credential Guard and LSA Protection | Protected Users group and frequent ticket renewal |
Network Traffic Required for Initial Extraction |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about Kerberoasting attacks, detection methods, and mitigation strategies for identity and access management architects.
Kerberoasting is a post-exploitation attack technique that targets Kerberos service accounts in Active Directory environments to extract plaintext passwords through offline brute-force cracking. The attack exploits the fundamental design of the Kerberos authentication protocol: any authenticated domain user can request a Ticket Granting Service (TGS) ticket for any service principal name (SPN) in the domain. The TGS ticket is encrypted with the service account's NTLM hash, which is derived from its password. An attacker with standard domain user privileges requests these encrypted tickets, extracts them from memory using tools like Mimikatz or Rubeus, and then performs offline dictionary or brute-force attacks against the captured ticket hashes. Because service accounts often have weak, static, or never-expiring passwords, cracking success rates are high. Once cracked, the attacker gains the service account's credentials, which frequently hold elevated privileges, enabling lateral movement and domain escalation.
Related Terms
Kerberoasting exploits the Kerberos protocol's service ticket mechanism. Understanding the broader attack surface and defensive controls is essential for identity and access management architects.
Pass-the-Hash (PtH)
A lateral movement technique where an attacker captures a hashed user credential and reuses it to authenticate to a remote server or service without needing the plaintext password. Unlike Kerberoasting, which targets service accounts through offline cracking, PtH exploits the NTLM authentication protocol directly.
- Mechanism: Extracts NTLM hashes from LSASS memory or SAM database
- Key Difference: No cracking required; the hash itself is the credential
- Mitigation: Credential Guard, LSA Protection, privileged access workstations
Token Impersonation
A Windows privilege escalation technique where an attacker leverages the SeImpersonatePrivilege to assume the security context of a different logged-on user, often escalating to SYSTEM. This is a post-exploitation step that can follow a successful Kerberoasting attack.
- Common Vectors: Potato family exploits (Juicy, Rotten, SweetPotato)
- Privilege Required: SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
- Result: Full SYSTEM-level access on the compromised host
Credential Guard
A Windows virtualization-based security (VBS) feature that isolates user credentials in a protected virtualized environment. This directly mitigates Kerberoasting's prerequisite step of extracting service tickets from memory.
- Protection: Isolates secrets in VBS enclave inaccessible to OS kernel
- Impact on Kerberoasting: Prevents ticket extraction from LSASS
- Requirement: Hardware virtualization support (Intel VT-x, AMD-V)
Confused Deputy Problem
A privilege escalation vulnerability where a program with higher authority is tricked into misusing its authority on behalf of an attacker. Kerberoasting exploits a form of this: the KDC acts as a confused deputy by issuing encrypted service tickets to any authenticated user.
- Classic Example: Cross-site request forgery (CSRF)
- Kerberos Context: Any domain user can request a TGS for any service
- Defense: Service account hardening, managed service accounts (MSAs)
Group Managed Service Accounts (gMSA)
A Windows managed service account type that provides automatic password management and simplified service principal name (SPN) administration. gMSAs are a primary defense against Kerberoasting because they eliminate weak, human-chosen service account passwords.
- Password Complexity: 240-character random passwords, auto-rotated
- Kerberoasting Resistance: Brute-force cracking becomes computationally infeasible
- Deployment: Requires Windows Server 2012+ domain functional level

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us