Skip to main content
Support
IntermediateT1558.003

Kerberoasting Deep Dive

Any domain user can request a service ticket encrypted with a service account's password hash -- then crack it offline with no lockout, no alerts, and no time limit.

In Kerberos authentication, when you want to access a service (like a SQL server), the domain controller gives you a "service ticket" that is encrypted with the service account's password. Normally, only the service can decrypt this ticket to verify your identity. But here is the catch: any domain user can request a service ticket for any service. The attacker requests tickets for services running under user accounts, saves them, and then uses password-cracking tools (like Hashcat or John the Ripper) to try to guess the password that was used to encrypt the ticket. If the service account uses a weak password like "Winter2024!", the attacker can crack it in seconds. Once cracked, the attacker has the service account's password -- and service accounts often have elevated privileges.

Imagine you can walk into a government office and ask for any classified document, but it is handed to you inside a locked briefcase. The office does not care who you are -- anyone can request a briefcase. The lock combination is the service account's password. If the password is weak (like a 4-digit code), you can take the briefcase home and try combinations at your leisure with no alarm, no lockout, and no time limit. That is Kerberoasting: the "briefcase" is a Kerberos service ticket (TGS), the "lock" is the service account's password hash used for encryption, and the "cracking" happens entirely offline.

Kerberoasting Simulator

Walk through this attack step-by-step in an interactive terminal

Key Takeaways

  1. Any domain user can request TGS tickets for any SPN -- no special privileges required.
  2. Offline cracking has no lockout, no alerts, and no time limit.
  3. RC4-encrypted tickets crack orders of magnitude faster than AES-encrypted ones.
  4. Group Managed Service Accounts (gMSAs) with auto-rotated 240-char passwords are the best defense.
  5. Detection relies on Event ID 4769 with RC4 encryption type from non-service accounts.
Why Should I Care?

Kerberoasting is one of the most exploited AD attack techniques because it requires only a regular domain account and targets service accounts that often have Domain Admin-equivalent privileges.

Defense Recommendations

Eliminate weak service account passwords and enforce AES-only Kerberos encryption.

  1. 1Migrate all service accounts to Group Managed Service Accounts (gMSAs) where possible.
  2. 2For remaining user-based service accounts, set passwords to 25+ random characters.
  3. 3Remove RC4 support from service accounts (set msDS-SupportedEncryptionTypes to 24 for AES only).
  4. 4Monitor Event ID 4769 for RC4 TGS requests to accounts that support AES.
  5. 5Deploy honeypot SPNs that alert on any TGS request -- a Kerberoasting canary.

Related Topics

SPN Scanning & Service DiscoveryAD Enumeration Without Admin RightsService Principal NamesAS-REP Roasting
Sources
NTLM Relay Attacks
AS-REP Roasting
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org