What Is Kerberoasting?

Updated on September 17, 2025

Kerberoasting is a cyberattack technique that exploits a feature in the Kerberos authentication protocol. It allows an attacker to obtain a service account’s password hash, which can then be cracked offline. The attack targets Service Principal Names (SPNs) and leverages the fact that service tickets, used for service authentication, are encrypted with the service account’s password hash.

Any authenticated user in a domain can request a service ticket. This allows an attacker to get a copy of the ticket and attempt to crack it offline without the victim’s knowledge. This article will define the Kerberoasting attack, explain its technical workflow, and detail its security implications and common mitigation strategies.

Definition and Core Concepts

Kerberoasting is an offline password-cracking attack that targets service account credentials. It is a post-exploitation technique used for privilege escalation and lateral movement within a network. The attack relies on several core components of the Kerberos protocol.

• Service Principal Name (SPN): An SPN is a unique identifier for a service instance. Kerberos uses SPNs to associate a service with the specific Active Directory user or computer account that runs it.
• Service Ticket: This is a Kerberos ticket that a client obtains to authenticate to a specific service. It is a cryptographic credential that proves the client’s identity to the service.
• Service Account: This is a dedicated user account in Active Directory used to run a service or application, like a SQL server or web application. Service accounts are often configured with long-term, non-expiring passwords, making them a high-value target.
• Key Distribution Center (KDC): The KDC is the central authority in a Kerberos environment. It is responsible for issuing tickets to users and services.

How It Works

The Kerberoasting attack workflow follows a clear, multi-step process. An attacker with any authenticated user session, even one with minimal privileges, can execute this attack. The process is as follows.

Enumeration of SPNs

First, the attacker queries Active Directory for a list of all accounts with a registered SPN. Tools like PowerShell’s Get-ADUser or Get-ADServiceAccount can be used for this step. The attacker looks for service accounts, particularly those with a SetSPN attribute, which indicates they are running a service.

Request for Service Tickets

Next, the attacker, posing as a legitimate user, sends a Kerberos Ticket-Granting Service Request (TGS-REQ) to the KDC. This request asks for a service ticket for a specific SPN they discovered during enumeration. This is a standard part of the Kerberos authentication flow.

Ticket-Granting Service (TGS) Response

The KDC validates the request and issues a service ticket to the attacker. This ticket is encrypted with the NTLM password hash of the service account associated with the requested SPN. The attacker now possesses the encrypted credentials for that service account.

Offline Password Cracking

The attacker extracts the encrypted portion of the service ticket and takes it offline. Using a tool like Hashcat or John the Ripper, they attempt to brute-force or dictionary-attack the password hash. If the service account’s password is weak, the attacker can crack it relatively quickly.

Access and Privilege Escalation

Once the password is cracked, the attacker has the plaintext password for the service account. They can use this credential to authenticate directly to the service or other systems where the account may have administrative privileges. This can lead to lateral movement across the network and significant privilege escalation.

Mitigation and Security Implications

Kerberoasting is a silent and effective attack. The initial request for a service ticket is a normal part of the Kerberos protocol, which makes it difficult to detect with traditional security tools. The primary security implications are privilege escalation and lateral movement.

Strong Service Account Passwords

The most effective mitigation is to use long, complex passwords for all service accounts. A password length of 25 characters or more makes offline cracking computationally infeasible for attackers. This is the simplest and most direct defense.

Managed Service Accounts

Use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs). These accounts automatically manage password rotation for service accounts. This provides a much stronger security posture than manually managed passwords, which are often weak and rarely changed.

Principle of Least Privilege

Limit the privileges of all service accounts. They should only have the permissions necessary to perform their specific function. Service accounts should not have administrative rights on domain controllers or other critical systems.

Threat Detection

Monitor for unusual or high-volume TGS-REQ requests originating from a single source. Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) solutions can be configured to detect Kerberoasting activity. This is achieved by analyzing network traffic and event logs for suspicious patterns.

Reduce SPN Exposure

Audit Active Directory to identify unnecessary or misconfigured SPNs and remove them. Only register SPNs for services that absolutely require Kerberos authentication. Minimizing the number of valid SPNs reduces the attack surface available to an attacker.