Inferensys

Glossary

Kerberoasting

An attack targeting Kerberos service accounts where an attacker requests encrypted tickets and performs offline brute-force cracking to extract plaintext passwords.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
ACTIVE DIRECTORY ATTACK

What is Kerberoasting?

Kerberoasting is an attack technique that exploits the Kerberos authentication protocol to extract password hashes for Active Directory service accounts, enabling offline brute-force cracking.

Kerberoasting is a post-exploitation attack where an authenticated domain user requests Ticket Granting Service (TGS) tickets for service principal names (SPNs) and extracts the encrypted portions for offline cracking. The attacker leverages the fact that any domain user can request a TGS for any service account, and the ticket is encrypted with the service account's NTLM hash.

Once the TGS ticket is captured, the attacker performs an offline brute-force attack against the encrypted material to recover the plaintext password. Service accounts often have elevated privileges and weak, rarely rotated passwords, making Kerberoasting a high-impact lateral movement vector in Active Directory environments.

ATTACK VECTOR ANALYSIS

Key Characteristics of Kerberoasting

Kerberoasting exploits the Kerberos authentication protocol to extract crackable password hashes for service accounts, enabling lateral movement and privilege escalation.

01

Offline Brute-Force Cracking

The core advantage of Kerberoasting is that the attack shifts password cracking offline. The attacker requests a Ticket Granting Service (TGS) ticket for a target Service Principal Name (SPN). The encrypted portion of this ticket is encrypted with the service account's NTLM hash. Once extracted from memory, the attacker can attempt to crack this hash using tools like Hashcat or John the Ripper without generating network traffic or triggering account lockout policies. This makes detection significantly harder compared to online brute-force attacks.

< 1 sec
RC4 Ticket Extraction
02

Service Account Targeting

Kerberoasting specifically targets service accounts registered with a Service Principal Name (SPN) in Active Directory. These accounts are high-value targets because:

  • They often have elevated privileges to run critical services.
  • They frequently have weak or never-expiring passwords due to operational constraints.
  • Password changes can cause service outages, making administrators reluctant to rotate them. Any authenticated domain user can request a TGS ticket for any SPN, making this a low-barrier attack.
Any Domain User
Required Privilege Level
03

Encryption Type Weakness

The crackability of a Kerberoasted ticket depends heavily on the encryption type used. The weakest is RC4-HMAC, which derives the encryption key directly from the account's NTLM hash, making it trivially crackable. Stronger types like AES-256-CTS-HMAC-SHA1-96 use PBKDF2 with salt, significantly increasing cracking difficulty. Attackers can often request a ticket specifying a weaker encryption type if the domain controller does not enforce AES, downgrading the security. Defenders must enforce AES encryption for all service accounts.

RC4
Weakest Encryption Type
AES-256
Strongest Encryption Type
04

Detection and Mitigation

Detecting Kerberoasting requires monitoring for Kerberos TGS-REQ events (Event ID 4769) with specific characteristics:

  • Requests using RC4 encryption (Ticket Encryption Type 0x17).
  • A high volume of TGS requests from a single user account in a short period.
  • Requests for service accounts with noisy or abnormal access patterns. Mitigation involves enforcing AES-only encryption, implementing Managed Service Accounts (MSAs) with automatic password rotation, and using Group Managed Service Accounts (gMSAs) for clustered services to eliminate static passwords entirely.
Event ID 4769
Primary Detection Event
05

Tooling and Exploitation

Common tools used for Kerberoasting include:

  • Impacket's GetUserSPNs.py: Requests TGS tickets for all user accounts with SPNs from a domain controller.
  • Rubeus: A C# toolset that can perform Kerberoasting directly from a compromised Windows host, including advanced features like kerberoast with hashcat formatting.
  • PowerShell: Using Invoke-Kerberoast from the Empire framework. Extracted hashes are saved in formats compatible with Hashcat mode 13100 (Kerberos 5 TGS-REP etype 23) for cracking.
Hashcat 13100
Cracking Mode
06

Golden Ticket vs. Kerberoasting

Kerberoasting is distinct from a Golden Ticket attack. A Golden Ticket forges a Ticket Granting Ticket (TGT) by compromising the KRBTGT account hash, granting domain-wide persistence. Kerberoasting is a stealthier, lower-privilege attack that extracts crackable material from legitimate TGS tickets. While a Golden Ticket requires domain admin-level access to the KRBTGT hash, Kerberoasting only requires authenticated domain user access, making it a common initial lateral movement technique after gaining a foothold.

KRBTGT
Golden Ticket Target
Service SPN
Kerberoasting Target
ATTACK VECTOR COMPARISON

Kerberoasting vs. Other Kerberos Attacks

Differential analysis of Kerberoasting against related Kerberos protocol exploitation techniques, highlighting the distinct prerequisites, execution methods, and defensive mitigations for each attack class.

FeatureKerberoastingPass-the-Hash (PtH)Pass-the-Ticket (PtT)

Target Credential Type

Service account plaintext password

NTLM hash of user account

Kerberos TGT or TGS ticket

Requires Domain Admin Privileges

Requires Valid Domain User Context

Attack Execution Mode

Offline brute-force cracking

Credential replay for lateral movement

Ticket reuse for lateral movement

Leverages Service Principal Name (SPN)

Extracted Artifact

Encrypted TGS ticket (TGS-REP)

NTLM hash from LSASS or SAM

Kerberos ticket from LSASS memory

Primary Mitigation

Strong service account passwords (>25 chars) and Managed Service Accounts

Credential Guard and LSA Protection

Protected Users group and frequent ticket renewal

Network Traffic Required for Initial Extraction

KERBEROASTING EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about Kerberoasting attacks, detection methods, and mitigation strategies for identity and access management architects.

Kerberoasting is a post-exploitation attack technique that targets Kerberos service accounts in Active Directory environments to extract plaintext passwords through offline brute-force cracking. The attack exploits the fundamental design of the Kerberos authentication protocol: any authenticated domain user can request a Ticket Granting Service (TGS) ticket for any service principal name (SPN) in the domain. The TGS ticket is encrypted with the service account's NTLM hash, which is derived from its password. An attacker with standard domain user privileges requests these encrypted tickets, extracts them from memory using tools like Mimikatz or Rubeus, and then performs offline dictionary or brute-force attacks against the captured ticket hashes. Because service accounts often have weak, static, or never-expiring passwords, cracking success rates are high. Once cracked, the attacker gains the service account's credentials, which frequently hold elevated privileges, enabling lateral movement and domain escalation.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.