Attacks and exploitsIdentity and accessIntermediate30 min read

What Is Kerberoasting? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Kerberoasting is a hacking technique used against Microsoft's Active Directory. Attackers request a special ticket from a domain controller that contains a hash of a service account's password. They then take that hash offline and try to crack it using common passwords. If successful, they can impersonate that service account and access sensitive systems.

Common Commands & Configuration

Rubeus.exe kerberoast /outfile:hashes.txt

Uses the Rubeus tool to request TGS tickets for all SPNs in the domain and dump the encrypted ticket data to a file. This is one of the most common ways to perform Kerberoasting on a Windows system after gaining access to a domain-joined machine.

Exams test that Rubeus is a post-exploitation tool for Kerberoasting. The /outfile parameter is used to save hashes for offline cracking. This command requires valid domain credentials but not admin rights.

impacket-GetUserSPNs -outputfile kerberoast_hashes.txt -dc-ip 10.0.0.1 DOMAIN/USER:password

The Impacket tool's GetUserSPNs script queries the Domain Controller for all service principal names (SPNs) associated with user accounts, requests TGS tickets for them, and outputs the encrypted hashes to a file. Useful from a Linux attack machine against a Windows domain.

Impacket is widely used in certifications like OSCP and PNPT. This command tests knowledge of cross-platform attack tools and the need for valid credentials. The -dc-ip specifies the Domain Controller's IP.

hashcat -m 13100 -a 0 kerberoast_hashes.txt wordlist.txt

Cracks Kerberos 5 TGS-REP (RC4) hashes using Hashcat. Mode 13100 is for Kerberos 5 TGS-REP etype 23 (RC4). The -a 0 specifies a dictionary attack. This is used after extracting hashes from Rubeus or GetUserSPNs.

Hashcat mode numbers appear in exams. 13100 is specific to Kerberoasting (RC4). Candidates must know that AES hashes use mode 19600. This tests password cracking methodology.

Get-DomainUser * -SPN | select -Property name, serviceprincipalname

PowerView command (PowerShell) to enumerate all domain user accounts that have an SPN, meaning they are service accounts. This identifies potential targets for Kerberoasting. Often used during reconnaissance.

PowerView is a common tool for Active Directory enumeration in exams like OSCP. Knowing how to find SPNs is step one of Kerberoasting. This command filters users with non-null SPN attributes.

Set-ADUser -Identity SERVICE_ACCOUNT -ServicePrincipalName @{remove='SERVICE/NAME'}

PowerShell command to remove an SPN from a service account. This can be used as a mitigation to reduce the attack surface by removing unnecessary SPNs, making that account less likely to be targeted.

Mitigation techniques are tested. Removing SPNs prevents Kerberoasting against that account. Exams may ask how to harden service accounts, and this command is a valid administrative action.

Set-ADServiceAccount -Identity gMSA_NAME -KerberosEncryptionType AES256

Configures a Group Managed Service Account (gMSA) to use AES256 encryption for Kerberos. This mitigates Kerberoasting by forcing the use of stronger encryption, making offline cracking significantly slower.

Enforcing AES encryption is a recommended control. Exams often test that disabling RC4 or enforcing AES reduces the success rate of Kerberoasting. gMSAs are a best practice for service accounts.

Kerberoasting appears directly in 9exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA CySA+. Practise them →

Must Know for Exams

Kerberoasting appears in several major IT security certification exams, including CompTIA Security+, CompTIA CySA+, CISSP, and the Certified Ethical Hacker (CEH) exam. In CompTIA Security+ (SY0-601 and SY0-701), Kerberoasting falls under Domain 1 (Attacks, Threats, and Vulnerabilities) and Domain 3 (Implementation). You may see questions asking you to identify the attack based on a scenario where an attacker requests service tickets for SPNs and cracks them offline.

The exam expects you to recognize Kerberoasting as a post-exploitation attack that targets service accounts and to know that mitigating it requires strong service account passwords and the use of gMSA. In CompTIA CySA+, Kerberoasting appears in the context of threat detection and response. You might be presented with a log analysis question showing multiple TGS requests from a single client IP in a short time window, and you need to identify the indicator of compromise (IoC) as a potential Kerberoasting attempt.

The exam also tests your ability to recommend remediation steps, such as enabling AES encryption and auditing SPN requests. In CISSP, Kerberoasting is relevant to Domain 3 (Security Architecture and Engineering) and Domain 6 (Security Assessment and Testing). Questions may focus on the cryptographic weaknesses in the Kerberos protocol and the importance of using strong encryption types.

You might be asked to evaluate a set of security controls and determine which ones would most effectively prevent Kerberoasting. In the CEH exam, Kerberoasting is part of the system hacking module, specifically in the context of privilege escalation and password cracking. You may see questions about tools like Rubeus, Impacket, and Hashcat, and the steps an attacker follows.

The exam might ask you to order the stages of a Kerberoasting attack or identify the tool used to extract SPNs from Active Directory. Across all these exams, the common thread is understanding the attack lifecycle, the role of service accounts, and the defensive measures. You should be familiar with the terms SPN, TGS, TGT, RC4, AES, Hashcat, and gMSA.

Practice identifying attack signatures such as event ID 4769 (a Kerberos service ticket was requested) with unusual volume or from unusual source IPs.

Simple Meaning

Imagine you work in an office building that uses electronic key cards to open doors. Each employee gets a card that grants access to the areas they need. Now, imagine a thief finds a way to request a temporary visitor pass from the security desk for any employee, including those with high-level access.

The temporary pass has a scrambled code written on it that is based on that employee's password. The thief cannot use the pass directly because the scrambled code is unreadable, but he can take it home and spend hours trying different combinations to unscramble it. If he cracks the code, he can now get into the building as that high-level employee.

This is exactly how Kerberoasting works. In the digital world, the building is a company's network, the security desk is the Active Directory domain controller, and the temporary visitor pass is a special ticket called a service ticket. The attacker asks the domain controller for a service ticket for a particular service account, without needing any special permissions.

This ticket is encrypted using the service account's password hash. The attacker copies the ticket from his own computer and uses password-cracking tools offline. Once the password is cracked, the attacker can use that service account to access any resource that account can reach, often including databases, file servers, or even other domain controllers.

The real danger is that many organizations use weak or default passwords for service accounts, making them easy targets. Kerberoasting does not rely on any exploit or software vulnerability; it simply abuses the way Kerberos authentication works by design. This makes it a favorite technique for penetration testers and attackers alike, because it is stealthy and difficult to detect with standard security tools.

The attack leaves a log entry of a service ticket request, but in large environments with thousands of legitimate requests, a few extra ones often go unnoticed.

Full Technical Definition

Kerberoasting is a post-exploitation attack targeting the Kerberos authentication protocol in Microsoft Active Directory environments. It specifically exploits the service ticket (TGS) request process to obtain password hashes of user accounts that have Service Principal Names (SPNs) registered. These accounts are typically service accounts that run applications, databases, or other services, and they often have elevated privileges.

The attack does not require any authentication as a privileged user; any domain user can initiate a TGS request for any SPN. The resulting TGS ticket is encrypted using the service account's password hash derived from the NTLM hash of the account. An attacker captures this encrypted ticket from the Kerberos traffic or from a memory dump on a compromised machine.

The encryption algorithm used in the TGS ticket is typically RC4-HMAC (based on the NTLM hash) or AES, depending on the domain functional level and encryption type support. The RC4-HMAC variant is particularly vulnerable because the encryption key is derived directly from the NTLM hash, which can be cracked offline using brute-force or dictionary attacks. Attackers use tools like Rubeus, Impacket's GetUserSPNs.

py, or Mimikatz to query Active Directory for all accounts with SPNs and request service tickets for them. Once the tickets are obtained, they are saved to a file and processed with password-cracking tools such as Hashcat or John the Ripper. The cracking process attempts to reverse the encryption and recover the plaintext password.

If the service account password is weak, common, or defaults to a known value (e.g., 'P@ssw0rd' or 'service123'), the attacker can recover it within minutes or hours. With the plaintext password, the attacker can authenticate as that service account and gain whatever privileges the account holds.

This often includes access to databases, file shares, remote administration tools, and sometimes even domain admin privileges if the service account has been granted excessive rights. Mitigations include using strong, complex passwords for service accounts (at least 25 characters), enabling AES encryption for Kerberos tickets (which makes cracking significantly harder), implementing managed service accounts (gMSA) that rotate passwords automatically, and monitoring for unusual TGS request patterns. Security Information and Event Management (SIEM) systems can detect Kerberoasting by flagging a single user requesting many TGS tickets for different SPNs in a short time window, or by detecting service ticket requests made from non-standard workstations.

Real-Life Example

Think of a large apartment building with a front desk. Each apartment has a mailbox, and each resident has a key to their own mailbox. The building manager has a master key that opens every mailbox.

Now, imagine a clever thief watches the mail carrier deliver letters. The thief notices that the mail carrier sometimes uses a special master key to open a mailbox when a resident loses their key. The thief walks up to the front desk and politely asks for access to the manager's mailbox, pretending to be the manager.

The front desk clerk, without verifying the thief's identity, provides a temporary copy of the manager's mailbox key. However, the key is not a physical metal key; it is a coded card that needs to be decoded by holding it up to a special light. The thief cannot use the card to open the mailbox directly.

But the thief takes the card home and spends the evening trying different combinations of light filters until the code reveals itself. Once decoded, the thief now has a working copy of the manager's master key. He can now open any mailbox in the building, read other residents' mail, and steal sensitive information.

In this analogy, the apartment building is the company's network, the front desk is the Active Directory domain controller, the mailbox keys are service account credentials, and the temporary coded card is the encrypted Kerberos service ticket. The thief (attacker) does not need to break in or steal anything initially; he simply uses the system's own processes to obtain a ticket that contains an encrypted version of the password. The offline cracking step is equivalent to the thief decoding the card at home.

This shows how Kerberoasting exploits a legitimate feature of the authentication system to gain unauthorized access, and why simply having a strong password for the service account is the most effective defense.

Why This Term Matters

Kerberoasting matters because it is one of the most common and effective attacks against Windows-based enterprise networks. It does not rely on any software vulnerability or unpatched system, which means that even fully updated environments are vulnerable. The attack is stealthy: it generates logs that look similar to routine Kerberos authentication traffic, making it hard for security teams to detect without advanced monitoring.

Once an attacker cracks a service account password, they can move laterally across the network and escalate privileges. Many organizations use service accounts with weak passwords because they are rarely changed due to the fear of breaking applications. This creates a persistent security gap that attackers know how to exploit.

For IT professionals, understanding Kerberoasting is critical for designing secure Active Directory environments. It directly impacts how you configure service accounts, set password policies, and implement monitoring. The principle of least privilege becomes even more important because if a service account is compromised through Kerberoasting, the blast radius is limited to the permissions that account has.

Using Group Managed Service Accounts (gMSA) or ensuring service accounts have passwords that are cryptographically random and at least 25 characters long can make cracking attempts infeasible. Security professionals must also know how to configure Kerberos encryption types to prefer AES over RC4, since RC4-hashed tickets are much easier to crack. Kerberoasting is not just an attack technique; it is a test of an organization's fundamental identity and access management hygiene.

For anyone pursuing IT security certifications, it is a core concept that bridges theoretical authentication protocols with practical offensive and defensive security.

How It Appears in Exam Questions

Multiple-choice scenario questions are the most common format. A typical question might describe a situation where an attacker with a standard domain user account runs a tool that queries Active Directory for all service principal names, then requests service tickets for those accounts. The attacker downloads the tickets and uses a password-cracking tool offline.

The question then asks you to identify the attack (Kerberoasting) or the best mitigation (use strong service account passwords and enable AES encryption). Another common question type involves log analysis. You are given excerpts from Windows Security Event Log showing multiple Event ID 4769 entries for different service names, all requested from the same workstation within a few minutes.

The question asks what type of attack this log pattern suggests. This tests your ability to recognize the behavioral indicator of Kerberoasting. In simulation questions, you might be asked to configure a Group Policy setting to mitigate Kerberoasting, such as enabling AES128 and AES256 encryption for Kerberos tickets, or configuring an audit policy to log Kerberos ticket requests.

Some exams use drag-and-drop questions where you need to order the steps of a Kerberoasting attack: enumerate SPNs, request TGS tickets, capture encrypted tickets, crack passwords offline, and authenticate as the service account. For advanced certifications, there may be performance-based questions where you are given a command output from a tool like GetUserSPNs.py and asked to interpret the results.

For example, the output might list several accounts with SPNs, and you need to identify which account is most vulnerable based on its password age or encryption type. You may also see troubleshooting questions: a company has implemented strong passwords for service accounts, but Kerberoasting is still successful. The question asks why.

The answer is that the domain still supports RC4 encryption, and the attacker is requesting tickets using RC4 instead of AES. The fix is to disable RC4 encryption for Kerberos or use group Managed Service Accounts. Another troubleshooting scenario might involve a security analyst who captures network traffic and notices many Kerberos AS-REQ and TGS-REQ packets.

They need to determine if it is a Kerberoasting attack or legitimate traffic. The answer involves checking if the requests are for a large number of different SPNs within a short time from a single source. These question types require you to not only recall definitions but also apply the concept to realistic IT situations.

Practise Kerberoasting Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a security administrator for a medium-sized company called TechFlow Inc. The company uses Microsoft Active Directory to manage user access. One day, the security team receives an alert from their SIEM system: a user account named 'jsmith' has requested Kerberos service tickets for over 20 different service principal names within 5 minutes.

JSmith is a standard employee who works in the marketing department and normally only accesses email and a few shared folders. The SIEM shows that the requests came from JSmith's workstation at 2:00 AM, and the requested services include SQL_Server, FileServer_01, and BackupService. The security team investigates and finds that JSmith's desktop computer was infected with malware.

The malware used the logged-in user's privileges to enumerate all SPNs in the domain using a PowerShell script. It then used a tool called Rubeus to request a TGS ticket for each SPN. The encrypted tickets were exfiltrated to an external server.

The attacker then attempted to crack the service account password for BackupService because that account had domain admin privileges. Fortunately, the BackupService account password was 32 characters long, randomly generated, and changed automatically every month using a Group Managed Service Account. The attacker's cracking attempt failed.

However, the SQL_Server service account had a weak password 'sql@2020', which the attacker cracked within two hours. The attacker used that account to log into the SQL database server and exfiltrated a copy of the customer database. This scenario illustrates how Kerberoasting can lead to data breach if service accounts are not properly hardened.

The steps the company should take include auditing all service accounts, enforcing strong passwords, disabling RC4 encryption, and implementing User Behavioral Analytics (UBA) to detect unusual ticket request patterns. The scenario also highlights that even if the primary attack fails, the attacker can still succeed with a weaker secondary target, reinforcing the need for least privilege across all accounts.

Common Mistakes

Thinking Kerberoasting requires administrative privileges.

Any authenticated domain user can request a TGS ticket for any SPN. No special permissions are needed to initiate the attack.

Assume that any domain user can be the attacker. Focus on hardening service accounts and monitoring for unusual ticket requests rather than relying on access control to stop the attack.

Believing that strong passwords make Kerberoasting impossible.

While strong passwords make cracking harder, they do not prevent the ticket request itself. The attacker still obtains the encrypted ticket. Only disabling RC4 encryption or using Kerberos armoring prevents the attack entirely.

Use a combination of strong passwords (25+ characters), AES-only encryption, and Group Managed Service Accounts (gMSA) that rotate passwords automatically.

Confusing Kerberoasting with Golden Ticket attacks.

A Golden Ticket attack requires the KRBTGT account hash and gives the attacker domain admin privileges. Kerberoasting targets service accounts and only gives access to what that specific service account can access.

Distinguish attacks based on the compromised account type: KRBTGT for Golden Ticket, service accounts for Kerberoasting, and user accounts for pass-the-hash.

Thinking that enabling AES encryption fully stops Kerberoasting.

AES encryption makes cracking extremely difficult but not impossible if the password is weak. If any service account still supports RC4, an attacker can request a ticket using RC4 downgrade.

Enforce AES-only encryption for all Kerberos tickets and disable RC4 entirely using Group Policy. Also ensure that all service account passwords are random and long.

Believing that Kerberoasting only works on domain controllers.

The attacker runs tools from any domain-joined computer, not necessarily a domain controller. They only need to query Active Directory using LDAP.

Monitor all domain-joined systems for tools like Rubeus, Mimikatz, and PowerShell scripts that query SPNs or request TGS tickets.

Exam Trap — Don't Get Fooled

{"trap":"An exam question says: 'An attacker captures encrypted Kerberos service tickets from network traffic. What type of attack is this?' The answer choices include 'Kerberoasting' and 'Golden Ticket'.

Many learners choose Golden Ticket because they associate high-level attacks with Kerberos.","why_learners_choose_it":"They confuse the two because both involve Kerberos tickets. Golden Ticket is more famous and sounds more dangerous, so they default to that."

,"how_to_avoid_it":"Remember that Kerberoasting specifically involves capturing service tickets (TGS) and cracking them offline. Golden Ticket involves forging a Ticket Granting Ticket (TGT) using the KRBTGT hash. Look for keywords: 'service tickets' and 'cracking offline' point to Kerberoasting.

'Forged tickets' and 'domain admin' point to Golden Ticket."

Commonly Confused With

KerberoastingvsGolden Ticket Attack

A Golden Ticket attack requires the KRBTGT account hash and allows the attacker to forge TGT tickets for any user, granting domain admin access. Kerberoasting only targets service accounts and does not provide domain admin access unless the cracked service account has that privilege.

Golden Ticket is like forging a master key to the entire building; Kerberoasting is like picking the lock on a specific office door.

KerberoastingvsPass-the-Ticket

Pass-the-Ticket involves stealing a valid Kerberos ticket from a user's session and reusing it on another machine. Kerberoasting does not steal existing tickets; it requests new tickets and cracks the password offline.

Pass-the-Ticket is like borrowing someone's access card while they are in the building; Kerberoasting is like getting a blank card printed with their name on it and then figuring out the PIN.

KerberoastingvsSilver Ticket Attack

A Silver Ticket attack forges a service ticket for a specific service using the service account's password hash. It does not require cracking because the attacker already has the hash. Kerberoasting first cracks the password to obtain the hash, then uses it for further attacks.

Silver Ticket is like having a duplicate key made because you already have the original; Kerberoasting is like picking the lock to get the original key.

Step-by-Step Breakdown

1

Enumerate Service Principal Names (SPNs)

The attacker queries Active Directory to find all user accounts that have an SPN registered. An SPN is a unique identifier for a service running on a server. Tools like GetUserSPNs.py or PowerShell script 'Get-ADUser -Filter {ServicePrincipalName -ne "$null"}' are used. Any domain user can perform this query.

2

Request TGS Tickets for Target SPNs

For each service account found, the attacker requests a Kerberos service ticket (TGS) from the domain controller. The request is made using the attacker's current Kerberos TGT. The domain controller returns a TGS ticket encrypted with the service account's password hash.

3

Capture the Encrypted Tickets

The encrypted TGS tickets are either saved to a file on the attacker's machine or captured from network traffic using a packet sniffer. The attacker now has a blob of encrypted data that contains the service account's NTLM hash as the encryption key.

4

Crack the Tickets Offline

The attacker runs a password-cracking tool like Hashcat or John the Ripper against the captured tickets. The tool tries millions of password guesses per second, attempting to decrypt the TGS ticket. If a guess is correct, the ticket decrypts successfully, revealing the plaintext password.

5

Authenticate as the Service Account

With the plaintext password, the attacker can now impersonate the service account. They can log in to any machine where the account has access, run services under that identity, or move laterally to other systems that trust the service account.

6

Escalate Privileges

If the cracked service account has local administrator rights on a domain controller or other high-value systems, the attacker can escalate to domain admin or compromise the entire domain. Even without that, the attacker can access sensitive data accessible to the service account.

Practical Mini-Lesson

Kerberoasting is a primary method attackers use to move from a standard user compromise to more privileged access. As a security professional, you need to understand both the offensive and defensive aspects. When testing your own environment, you can use tools like Rubeus with the command 'Rubeus kerberoast' to simulate the attack and identify weak service accounts.

However, ensure you have written authorization before performing any security testing. On the defensive side, your first priority is service account hygiene. Every service account should have a password that is at least 25 characters long, randomly generated, and changed regularly.

Group Managed Service Accounts (gMSA) are the gold standard because they automatically rotate complex passwords without manual intervention. Next, you must configure Kerberos encryption to use AES128 and AES256 and disable RC4-HMAC. This can be done via Group Policy under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Configure encryption types allowed for Kerberos.

Select 'AES128_HMAC_SHA1' and 'AES256_HMAC_SHA1', and uncheck 'RC4_HMAC_MD5'. Be aware that disabling RC4 may affect older applications that do not support AES. Testing is essential before broad deployment.

Monitoring is also crucial. Enable auditing for Kerberos service ticket operations (Audit Kerberos Authentication Service) and monitor Event ID 4769. A single user generating many 4769 events for multiple SPNs in a short time is a red flag.

You can also look for Event ID 4776 (credential validation) for service accounts being used from unusual workstations. In a Security Operations Center (SOC) context, you might use a SIEM to create a correlation rule: 'If more than 10 Event ID 4769 from same Source IP within 5 minutes, then trigger alert for possible Kerberoasting.' consider implementing User and Entity Behavior Analytics (UEBA) tools that learn normal Kerberos traffic patterns and flag anomalies.

For incident response, if Kerberoasting is detected, immediately isolate the affected workstation, reset the password for any service accounts that were targeted, and investigate for lateral movement. Finally, remember that Kerberoasting is often a post-exploitation technique. The attacker already had a foothold in the environment, so you need to investigate the initial compromise vector as well.

This layered approach-hardening service accounts, encryption settings, monitoring, and incident response-forms a comprehensive defense against Kerberoasting.

The Kerberoasting Attack Mechanism

Kerberoasting is a post-exploitation attack that targets service accounts in a Microsoft Active Directory environment. The attack uses the Kerberos authentication protocol to obtain service account credentials without needing to send any network traffic that is obviously malicious. An attacker who has already gained a foothold on a domain-joined machine, usually with a standard user account, can request Kerberos service tickets for any service principal name (SPN) in the domain. The Domain Controller (DC) encrypts these tickets using the password hash of the service account that owns the SPN. Specifically, the ticket-granting service (TGS) ticket is encrypted with the service account's NTLM hash derived from its password.

The attacker then extracts these encrypted TGS tickets from memory or from the local LSASS process using tools like Mimikatz, Rubeus, or Impacket. Once the ticket is obtained offline, the attacker can attempt to crack the encryption offline using brute-force or dictionary attacks. Because service account passwords are often complex but still shorter than 15 characters, and because administrators sometimes set them to never expire or use weak passwords, the cracking phase can be highly successful. The encryption used is typically RC4-HMAC (with a key derived from the NTLM hash) or, in newer environments, AES128 or AES256. However, RC4-HMAC is still common and is especially vulnerable because it is fast to crack with tools like Hashcat or John the Ripper. The goal is to recover the service account's plaintext password, which often has high privileges, such as domain admin rights or access to critical servers.

A crucial aspect of the mechanism is that the attacker does not need administrative privileges to request TGS tickets. Any authenticated domain user can request a service ticket for any SPN. This makes the attack a low-privilege escalation vector. The only prerequisite is that the attacker must have valid domain credentials (even low-privileged ones). This is why Kerberoasting is often performed after initial compromise via phishing or other exploitation. The attack is stealthy because it mimics legitimate Kerberos authentication traffic. Security teams must therefore rely on anomaly detection, such as unusual volume of TGS requests from a single account, or the use of decoy service accounts (honeytokens) to detect the activity. Understanding this mechanism is essential for any IT professional preparing for security-related certification exams, as it tests knowledge of Kerberos internals, privilege escalation, and password security.

From an exam perspective, candidates must know that Kerberoasting does not exploit a vulnerability in Kerberos itself, but rather abuses the protocol's design. It is a password cracking attack, not a memory exploit. The mitigation involves using strong, randomly generated passwords for service accounts (preferably 25+ characters), implementing Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs), and monitoring for anomalous TGS requests. In certifications like CompTIA Security+ or CISSP, questions often focus on the attack's reliance on weak passwords and the need for service account hardening. In Microsoft-specific exams, the correct answer might involve enabling AES encryption to slow down cracking, or using conditional access policies to flag unusual TGS requests.

the Kerberoasting mechanism can be broken into three steps: Request, Extract, Crack. The request phase is performed by an authenticated user, the extraction phase uses tools to capture the encrypted ticket, and the cracking phase attempts to recover the password offline. This process highlights why service accounts are a high-value target and why exam questions emphasize the importance of service account management and monitoring.

For certification preparation, remember that the key defense is to ensure service account passwords are long, complex, and changed frequently. The use of AES encryption makes cracking much slower than RC4, but does not prevent the attack entirely. Finally, the best detection method is to look for an unusual number of TGS requests from a single user, especially service tickets that are not needed for that user's role.

Mitigation Strategies and Detection Techniques for Kerberoasting

Defending against Kerberoasting requires a multi-layered approach that combines technical controls, policy enforcement, and proactive monitoring. Because the attack does not exploit a software vulnerability but instead abuses the Kerberos protocol's normal behavior, traditional patching is not a complete solution. The primary mitigation focuses on making service account passwords resistant to offline cracking and on detecting the anomalous TGS requests that are the precursor to credential theft.

First and foremost, service account passwords should be strong, unique, and randomly generated. The National Institute of Standards and Technology (NIST) recommends using complex passwords that are at least 15 characters long, but for service accounts, 25 characters or more is advisable. Even better is to use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) introduced in Windows Server 2008 R2 and later. These are computer accounts that have automatically rotated, complex passwords managed by the domain. They do not require manual password changes and are much harder to crack because the password is a 240-character random value. However, not all applications support MSAs, so legacy service accounts may still exist. In such cases, administrators should enforce strong password policies and schedule regular password rotations, ideally every 30 to 90 days.

Second, encryption type matters. Kerberos supports multiple encryption types, including RC4-HMAC (which is fast and weak), AES128, and AES256. By default, many environments still offer RC4 because of compatibility with older applications. To mitigate Kerberoasting, administrators should disable RC4 encryption for service accounts and enforce the use of AES encryption. This can be done via Group Policy by setting the "Network security: Configure encryption types allowed for Kerberos" to include only AES128 and AES256. Cracking AES-encrypted tickets is computationally much more expensive than RC4, though with enough resources it is still possible. Certification exams often test this: disabling RC4 is a strong mitigation but not a complete prevention.

Third, monitoring and detection are critical. Security Information and Event Management (SIEM) systems can be configured to alert on high volumes of TGS requests from a single user, especially for service accounts that the user does not normally access. For example, if a regular user suddenly requests a dozen service tickets for SQL Server service accounts, that is suspicious. Windows Event ID 4769 (A Kerberos service ticket was requested) can be logged and analyzed. Deploying decoy service accounts (honeytokens) with weak passwords can be an effective early warning system. When an attacker attempts to crack the honeytoken's password and uses it, an alert is triggered. This technique is covered in advanced security exams and blue team training.

Fourth, the principle of least privilege applies. Service accounts should have only the permissions necessary to perform their tasks. A SQL Server service account, for example, should not be a domain administrator. If an attacker cracks a service account password, the blast radius is limited if the account has minimal privileges. This is often a key point in exam questions about privilege escalation and lateral movement.

Finally, user awareness and credential hygiene are important. Because Kerberoasting often follows a successful initial compromise via phishing, training users to recognize phishing attempts reduces the attack surface. Multi-factor authentication (MFA) does not directly prevent Kerberoasting because the attack uses cached credentials, but MFA can prevent the initial compromise that provides the attacker with a foothold.

From an exam perspective, candidates should be prepared to answer questions about the relative effectiveness of different mitigations. For instance, the most effective mitigation is using gMSAs or long, complex passwords. The next is disabling RC4 encryption. Monitoring and least privilege are complementary controls. Understanding that no single control is perfect is important for comprehensive security. In certifications like CompTIA Pentest+ or OSCP, candidates may need to describe both the attack and the mitigations. In CISSP, the focus might be on the principle of defense in depth.

a successful defense against Kerberoasting combines account management (MSAs/gMSAs), encryption hardening (disable RC4), strong password policies, vigilant monitoring (Event ID 4769 and honeytokens), and least privilege. This layered approach significantly reduces the risk and impact of this common attack.

Memory Tip

Kerberoasting = Request TGS tickets for service accounts, then crack offline. Think: 'Service Tickets = Crackable Gold.'

Learn This Topic Fully

This glossary page explains what Kerberoasting means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.What is the primary prerequisite for an attacker to perform a Kerberoasting attack?

2.Which encryption type used in Kerberos TGS tickets makes Kerberoasting most vulnerable to offline password cracking?

3.Which Windows Event ID is most relevant for detecting Kerberoasting activity?

4.What is the most effective technical control to prevent Kerberoasting from succeeding?

5.An attacker uses Impacket's GetUserSPNs and obtains encrypted hashes. What is the correct Hashcat mode to crack RC4-based Kerberos TGS tickets?

6.Which of the following describes the correct sequence of steps in a Kerberoasting attack?

Frequently Asked Questions

Can Kerberoasting be performed by a non-domain user?

No, the attacker must be authenticated as a domain user to request TGS tickets. However, the attacker can be any domain user, including a low-privilege account.

Does Kerberoasting work on Linux systems?

Kerberoasting targets Microsoft Active Directory, so it only works in AD environments. However, the tools to perform it (like Impacket) can run on Linux.

Is Kerberoasting the same as cracking a password hash?

It is similar, but the hash is embedded within a Kerberos ticket and requires a specific cracking mode. Tools like Hashcat have a dedicated mode (13100) for Kerberos 5 TGS-REP etype 23.

What is the easiest way to prevent Kerberoasting?

The easiest immediate step is to ensure all service accounts have strong, random passwords over 25 characters. The best long-term solution is to use Group Managed Service Accounts.

How can I detect Kerberoasting in my network?

Monitor for a high volume of Event ID 4769 from a single source IP, especially for many different SPNs. Also, look for the use of tools like Rubeus or GetUserSPNs.py in your environment.

Can Kerberoasting be used against any service account?

Yes, any user account with an SPN registered is vulnerable. This includes accounts used for SQL Server, IIS, file shares, and custom applications.

Summary

Kerberoasting is a powerful and stealthy attack that exploits a core feature of the Kerberos authentication protocol in Active Directory. It allows any authenticated domain user to obtain encrypted service tickets for accounts with Service Principal Names, and then crack those tickets offline to recover plaintext passwords. The attack is particularly dangerous because it does not require any vulnerability or elevated privileges to initiate, making it a common choice for penetration testers and real-world attackers alike.

For IT professionals, understanding Kerberoasting is essential for designing secure authentication architectures, managing service accounts diligently, and implementing effective monitoring. The primary defenses include using strong, random passwords for service accounts, deploying Group Managed Service Accounts, disabling RC4 encryption in favor of AES, and auditing Kerberos ticket requests. In certification exams, Kerberoasting appears in scenarios that test your ability to identify the attack, differentiate it from other Kerberos-based attacks, and recommend appropriate mitigations.

Mastering this concept not only helps you pass exams like Security+, CySA+, CISSP, and CEH, but also equips you with real-world knowledge to protect enterprise networks from one of the most prevalent identity-based threats. Remember that the goal is not just to recognize the attack but to build a layered defense that makes the attacker's job as difficult as possible.