New Update:  Our new blog is updated.
Free download
Decorative
Solutions
DecorativeDecorative
Services
DecorativeDecorative
Solutions
DecorativeDecorative
Overview
Decorative
Solution by Compliance & Risks
SOC-2 Compliance
Decorative
PCI-DSS
Decorative
HIPAA
Decorative
FDA 510(k)
Decorative
ISO 27001
Decorative
Merger & Acquisitions
Decorative
Third Party Risks
Decorative
Cyber Insurance
Decorative
Solution by Industries
Banking & Finance
Decorative
E-Commerce & Retail
Decorative
SaaS & Technology
Decorative
Healthcare
Decorative
Energy Oil & Gas
Decorative
Gaming
Decorative
Solution by Stages
Startups
Decorative
Scaleups
Decorative
Enterprises
Decorative
Services
DecorativeDecorative
Overview
Decorative
Managed Services
Penetration Testing as a Service - (PTaaS)
Decorative
Application Security as a Service - (ASaaS)
Decorative
Virtual CISO
Decorative
Professional Services
Cloud Security
Decorative
Application Security
Decorative
Penetration Testing
Decorative
Network Security
Decorative
Full Stack Assessment
Decorative
Red Teaming
Decorative
Cloud Security
Decorative
Social Engineering
Decorative
Training
Decorative
Staff Augmentation
Decorative
AI
About
Case Studies
Blogs
Partners
Careers
Get Started!
Book a demo
Glossary
Kerberoasting

Kerberoasting

Could an attacker exploit this in your environment?
Learn what Kerberoasting is, how attackers crack AD service account passwords offline, and proven defenses against this common privilege escalation technique.
Start Assessment
Related Services
No items found.
Penetration Testing
Red Teaming
TABLE Of CONTENTS
Example H2

What is Kerberoasting?

Kerberoasting is an Active Directory attack where adversaries request Kerberos service tickets and crack them offline to obtain service account passwords for privilege escalation.

What is Kerberoasting?

Kerberoasting is an Active Directory attack technique where any authenticated domain user requests Kerberos TGS (Ticket Granting Service) tickets for service accounts with SPNs (Service Principal Names). These tickets are encrypted with the service account's password hash, allowing offline brute-force cracking without generating failed login attempts.

How does Kerberoasting work?

An attacker with any domain user account queries AD for accounts with SPNs, requests TGS tickets for those services using legitimate Kerberos protocol, exports the tickets, and cracks them offline using tools like Hashcat or John the Ripper. If the service account has a weak password, the plaintext credential is recovered.

Why is Kerberoasting effective?

Kerberoasting is effective because it requires only basic domain user privileges, uses legitimate Kerberos protocol operations that blend with normal traffic, enables offline cracking without account lockout, many service accounts have weak or never-changed passwords, and service accounts often have elevated domain privileges making them high-value targets.

How do you detect Kerberoasting?

Detection involves monitoring Event ID 4769 for unusual TGS ticket requests, alerting on single users requesting tickets for multiple services, monitoring for RC4 (etype 0x17) encryption downgrades in ticket requests, using honeypot service accounts with SPNs to detect enumeration, and correlating ticket requests with known attack tool signatures.

How do you prevent Kerberoasting?

Prevention requires using Group Managed Service Accounts (gMSA) with automatically rotated 120-character passwords, enforcing 25+ character passwords for traditional service accounts, using AES encryption instead of RC4, minimizing service accounts with SPNs, implementing the Protected Users security group, and regularly auditing SPN assignments.

What is the difference between Kerberoasting and AS-REP Roasting?

Kerberoasting targets service accounts with SPNs by requesting TGS tickets. AS-REP Roasting targets user accounts with Kerberos pre-authentication disabled by requesting AS-REP responses. Both enable offline password cracking, but Kerberoasting is more common since most environments have service accounts with SPNs while pre-auth disabled is less frequent.

What tools are used for Kerberoasting?

Common tools include Rubeus (C# implementation for Windows), Impacket GetUserSPNs.py (Python for Linux), PowerView or PowerSploit for enumeration, Mimikatz for ticket extraction, Hashcat and John the Ripper for offline cracking, and BloodHound for identifying high-value Kerberoastable accounts with admin privileges.

What happens after a successful Kerberoasting attack?

After cracking a service account password, attackers use those credentials for lateral movement, privilege escalation, and accessing resources the service account can reach. If the service account has domain admin privileges, the attacker achieves full domain compromise. Even limited service accounts often access sensitive databases or applications.

Related Topics

Network Segmentation

Network segmentation divides networks into isolated zones with controlled access between them, limiting attack propagation and protecting sensitive systems from unauthorized access.

Firewall

A firewall is a network security device that monitors and filters incoming and outgoing traffic based on predefined security rules to protect against unauthorized access.

VPN

A Virtual Private Network (VPN) creates an encrypted tunnel between a user's device and a network, protecting data in transit and enabling secure remote access to resources.

IPS / IDS

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic and system activity to detect and optionally block malicious behavior.

Network Scanning

Network scanning systematically probes network hosts and services to discover active systems, open ports, running services, and potential vulnerabilities for security assessment.

How To Get Started

Ready to strengthen your security? Fill out our quick form, and a cybersecurity expert will reach out to discuss your needs and next steps.
Get Started!
DecorativeDecorative
Solutions
Comliance & Risk
SOC-2 Compliance
PCI-DSS
HIPAA
FDA 510(k)
ISO 27001
Merger & Acquisitions
Third Party Risks
Cyber Insurance
Industry
Banking & Finance
E-Commerce & Retail
SaaS & Technology
Healthcare
Gaming
STages
Startups
Scaleups
Enterprises
Services
Professional
Application Security
Penetration Testing
Network Security
Full Stack Assessment
Red Teaming
Cloud Security
Social Engineering
Training
Managed
PTaaS
ASaaS
vCISO
Staff Augmentation
about
About Us
Contact Us
Blogs
Glossary
Compare
iosentrix vs SecureWorks PTaaS
iosentrix vs Trustwave PTaaS
iosentrix vs Rapid7 PTaaS
iosentrix vs Coalfire PTaaS
iosentrix vs Astra Security PTaaS
iosentrix vs Strobes Security PTaaS
iosentrix vs Kroll PTaaS
Copyright. All rights reserved by ioSENTRIX
|
Privacy Policy
|
Cookie Policy
Decorative