AD Attack Concepts- Kerberoasting Explained

Photo by Joan Gamell on Unsplash

AD Attack Concepts- Kerberoasting Explained

In this post, we tackle Kerberoasting attacks.

Kerberoasting is a type of attack that's performed within Active Directory environments, where a malicious actor attempts to capture a hash from an account with a Service Principal Name (SPN).

At its core, a Kerberoasting attack hinges on the intricate architecture of the Kerberos authentication protocol. This protocol, widely used in Windows domains, provides secure authentication by assigning encrypted tickets to users and service accounts. These tickets, known as TGTs (Ticket Granting Tickets), allow users to access various services without revealing their credentials every time.

Service accounts however, often used to run network services, require special permissions to request service tickets. These accounts possess an attribute called the Service Principal Name (SPN), which links the service to the account. This is the relationship that Kerberoasting attacks exploit.

Steps to perform a Kerberoasting attack

  1. Identifying Vulnerable Targets: Attackers begin by conducting reconnaissance within the target Windows domain. They search for service accounts with high privileges, as these accounts are likely to yield valuable credentials.

  2. Targeting SPNs: For each identified service account, the attacker homes in on its associated SPN. This unique identifier is crucial for requesting service tickets.

  3. Requesting Service Tickets: The attacker, masquerading as the service account, approaches the Key Distribution Center (KDC) with a request for a service ticket. This ticket contains the encrypted credentials of the service account.

  4. Capturing the Encrypted TGS Tickets: Once the service ticket (TGS) is granted, the attacker intercepts the TGS. This ticket hosts the encrypted service account credentials.

  5. Brute Force: The attacker initiates an offline brute force attack on the captured TGS. Using powerful cracking tools and techniques, they attempt to decrypt the encrypted credentials.

  6. Decrypting the Credentials: If successful, the attacker gains access to the plaintext credentials of the service account. This breakthrough grants them unauthorized access to network services and resources associated with the compromised account.

Kerberos Mitigation

  • Regularly rotate service account passwords

  • Utilize strong, complex passwords for service accounts

  • Implement account lockout policies to deter brute-force attacks


Kerberoasting attacks are an example of modern cyber threats. By exploiting the Kerberos authentication protocol's intricacies, attackers can compromise critical systems and assets. It is imperative that as defenders, we understand the mechanics of these attacks in order to effectively structure mitigation strategies. Through a combination of good monitoring, strong access controls, and proactive defense mechanisms, organizations can shield their cybersecurity infrastructure and render malicious attackers useless.