Skip to main content
Support

Kerberoasting

Offline Service Account Password Cracking

Any domain user can request Kerberos service tickets and crack them offline to recover service account passwords — no admin rights needed.

Intermediate~6 minT1558.003
Prerequisites:Any domain user accountNetwork access to a domain controllerRubeus.exe or Invoke-Kerberoast
1

Enumerate Kerberoastable Accounts

Kerberoasting — Step 1/5
PS C:\Tools>

Click or press Enter to skip

Step 1: Find Targets

Query AD for all user accounts with Service Principal Names (SPNs). SPNs are registered on service accounts that run things like SQL Server, IIS, or Exchange.

We are looking for "service accounts" — special accounts that run software like databases or web servers. These accounts often have weak passwords because admins set them once and forget about them.

Detection Events
4662Directory service access
Attack Flow
LDAP: List SPNs
Attacker(Domain User)
DomainController
KDCService
SQLServer
Hashcat(Offline)
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org