Skip to content
Cybersecurity

Kerberoasting

Kerberoasting is an attack technique in Active Directory environments that exploits Kerberos service tickets. An attacker requests tickets for service accounts (with SPN) and then cracks them offline to obtain plaintext passwords.

What is Kerberoasting?

Kerberoasting Definition

Kerberoasting is an attack on the Kerberos authentication protocol in Active Directory. An attacker with any domain account can request service tickets (TGS) for accounts with Service Principal Names (SPN). These tickets are encrypted with the service account password - which an attacker can attempt to crack offline.

How Kerberoasting Works

  1. Domain access: Attacker has any domain user account
  2. SPN enumeration: Finding accounts with SPNs
  3. TGS request: Requesting tickets for those services
  4. Extraction: Exporting tickets in crackable format
  5. Offline cracking: Hashcat/John the Ripper
  6. Access: Using cracked password

Why Is Kerberoasting Effective?

  • No privileges required: Any domain user can request TGS
  • Offline cracking: No lockouts, no logs during cracking
  • Weak passwords: Service accounts often have weak passwords
  • No password changes: Service accounts rarely change passwords
  • High privileges: Service accounts often have elevated rights

Kerberoasting Tools

  • Rubeus: kerberoast
  • Impacket: GetUserSPNs.py
  • PowerView: Invoke-Kerberoast
  • Hashcat: Mode 13100 (Kerberos 5 TGS-REP)

Kerberoasting Detection

Indicators:

  • Requests for many TGS tickets from one account
  • TGS requests for unusual services
  • RC4 encryption usage (default for legacy)
  • Event 4769 with unusual patterns

Detection:

  • SIEM rules for anomalous TGS requests
  • Honeypot SPNs (never legitimately requested)
  • Encryption type monitoring

Kerberoasting Mitigation

Password policy:

  • Long, complex passwords (25+ characters)
  • Regular rotation
  • Managed Service Accounts (gMSA)

Architecture:

  • AES encryption (harder to crack)
  • Minimizing SPNs
  • Least privilege for service accounts
  • Removing unnecessary SPNs

Monitoring:

  • TGS request auditing
  • Honeypot accounts
  • Unusual access patterns

Kerberoasting vs AS-REP Roasting

AspectKerberoastingAS-REP Roasting
TargetAccounts with SPNAccounts without preauth
TicketTGSAS-REP
RequirementAny domain userAccount discovery
CommonalityMore commonRequires misconfiguration

Kerberoasting is one of the most popular post-exploitation techniques in AD environments, requiring both detection and preventive measures.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist