๐ซKerberoasting
Kerberoasting is a post-authentication cyberattack that targets the Kerberos authentication protocol in Windows networks (especially Active Directory). Attackers request service tickets for service accounts, extract the encrypted hash, and then crack it offline to obtain the accountโs password. With that password, they can escalate privileges and pivot deeper into a network
Why Kerberoasting Works:
Kerberos is the default authentication mechanism for Active Directory.
Any authenticated domain user can request a Ticket Granting Service (TGS) ticket for any service that has a Service Principal Name (SPN).
The KDC issues a TGS ticket encrypted with the service accountโs password hash.
The attacker doesnโt need privileged rights โ just a regular domain user.
How Kerberoasting Works โ Step by Step:
Gain initial access - An attacker gets access to a user domain account (phishing, password reuse, malware, etc.).
Enumerate SPNs - The attacker lists all service accounts with SPNs in Active Directory using tools or PowerShell. SPNs are identifiers used by Kerberos so services can verify their identity.
Request service tickets - With the domain user, they request Kerberos TGS tickets for those SPNs. The KDC returns the tickets encrypted with each service accountโs password hash.
Extract the encrypted ticket - Export the ticket to disk (tools like Mimikatz or Rubeus help here). This ticket now contains the hashed version of the service account password.
Crack it offline - Using Hashcat, John the Ripper, or similar tools, the attacker cracks the hash to discover the plaintext password. This work happens offline โ so it doesnโt generate domain alerts.
Use the credentials - Once the password is known, they can log in as the service account and escalate privileges (lateral movement, data theft, etc.) โ often unnoticed.
Here is an example attack:
We have such data:
Domain Controller -
172.16.5.5Domain -
INLANEFREIGHT.LOCALUser -
forendPassword -
Klmcargo2
We gonna use tool from Impacket collection:
First, we need to list all the SPNs, and we can add -request to immediately request the hashes:
Now we can crack the hash with Hashcat:
We got password - database! , lets verify it:
This was an example of an attack from outside, the attack can also be carried out from within, for example, using Rubeus.
You can use cheatsheet if you forgot the commands.
OpSec:
Enumeration OpSec:
Avoid broad LDAP filters like
servicePrincipalName=*; query specific accounts individually with time delays between requests to evade volume-based alerts.Manually check for honeypots: filter service accounts by recent creation dates, last logon timestamps, or "password never expires" flags before targeting.
Use living-off-the-land techniques like PowerShell
Get-ADUserover custom tools that generate suspicious network patterns.
Ticket Request OpSec:
Prefer AES256 encryption (
-aesKeyin Impacket or Rubeus equivalents) over RC4 to prevent downgrade detection; RC4 tickets (etype 0x17) are a red flag for EDR.Space TGS requests temporally (e.g., 1-2 per hour) and mimic legitimate user behavior by requesting from interactive sessions, not automated scripts.
Route traffic through port 88 via proxy processes; avoid default Impacket/Rubeus flags like 0x40800000 which differ from LSASS.exe norms.
Cracking and Post-Exploitation OpSec:
Crack hashes offline quickly with strong wordlists/rules; if using Hashcat, target Kerberos mode 13100 but test small batches first to avoid GPU noise on monitored hosts.
Verify credentials silently (e.g., CrackMapExec or NetExec with
--gen-only) before full use; pivot via the service account only after confirming no recent logons.Clean up: Purge tickets with
klist purgeand monitor for anomalies like Event ID 1644 (LDAP) or Sysmon process creation during ops.
Awesome tool for bypassing Kerberoast detections - Orpheus
References & More About Kerberoasting:
Alike:
Last updated