Kerberoasting: How It Works, How to Defend, and How to Minimize the Damage

Authentication, Security, Security Remediation, Vulnerabities

What is Kerberoasting

Kerberoasting is a post-exploitation technique used by attackers to extract and crack service account credentials in Active Directory (AD) environments. It exploits a weakness in the Kerberos authentication protocol by requesting service tickets (TGS) that are encrypted with a key derived from a service account’s password.

Introduced by security researcher Tim Medin in 2014, Kerberoasting has become a common technique in both real-world attacks and Red Team simulations due to its effectiveness and stealth.

A Bit of Theory

Before diving into the attack mechanics, it’s essential to understand a few key concepts behind Kerberos and service accounts in Active Directory.

Kerberos Authentication

Kerberos is the default authentication protocol in Windows-based domains. It allows secure authentication between users and services without transmitting passwords over the network. The process involves three main steps:

  • AS-REQ / AS-REP: The client authenticates with the Key Distribution Center (KDC) and receives a Ticket Granting Ticket (TGT).
  • TGS-REQ / TGS-REP: The client uses the TGT to request a Service Ticket (TGS) for a specific service.
  • Service Access: The client presents the TGS to the service to gain access.

Each TGS is encrypted using the hash of the service account password. This is the core of the Kerberoasting vulnerability.

Service Principal Name (SPN)

An SPN is a unique identifier for a service instance in Active Directory. It maps a service to a domain account, allowing Kerberos to locate and authenticate the service. Examples of SPNs include:

  • MSSQLSvc/dbserver01.contoso.com:1433
  • HTTP/webserver.contoso.com

Any domain user can request a TGS for any SPN, which is what Kerberoasting exploits.

Group Managed Service Accounts (gMSA)

gMSAs are special types of service accounts managed by Active Directory. Their passwords are:

  • Automatically generated.
  • Periodically rotated.
  • Not retrievable by human users.
  • Not allowed to log in interactively.

Using gMSAs drastically reduces the attack surface for Kerberoasting by eliminating the possibility of weak or reused passwords on service accounts

How the Attack Works

Kerberoasting leverages the fact that any authenticated domain user can request a service ticket (TGS) for a service account with a registered Service Principal Name (SPN). These tickets are encrypted using the NTLM hash of the service account’s password, making them vulnerable to offline brute-force or dictionary attacks.

Here’s a typical workflow:

  1. SPN Enumeration: The attacker uses tools like SetSPN, PowerView, or ADFind to enumerate service accounts with SPNs.
  2. TGS Request: The attacker requests a Kerberos service ticket (TGS) for the target SPN.
  3. Ticket Dumping: Tools like Mimikatz are used to extract the encrypted TGS from memory.
  4. Offline Cracking: The attacker cracks the TGS using password-cracking tools such as Hashcat or John the Ripper to recover the plaintext password.

Since the cracking is done offline, the attacker avoids detection by most real-time network defenses.

Defense Techniques

Mitigating Kerberoasting requires both proactive prevention and effective detection mechanisms.

Prevention

  • Strong, Complex Passwords: Ensure service accounts use long, complex, and unique passwords to resist brute-force attacks.
  • Use gMSAs (Group Managed Service Accounts): These accounts automatically manage complex passwords and cannot be used for interactive logins.
  • Least Privilege Principle: Avoid granting excessive privileges to service accounts.
  • SPN Hygiene: Regularly audit and minimize the use of unnecessary SPNs.

Detection and Monitoring

  • Monitor for Unusual TGS Requests: An unusually high number of TGS requests from a single user can indicate suspicious activity.
  • Kerberos Event Logging: Enable and analyze Event ID 4769 (Kerberos TGS requests) for anomalies.
  • SIEM and Security Tools: Use SIEM platforms and solutions like Microsoft Defender for Identity to detect known Kerberoasting patterns.

Impact of Kerberoasting in Production

The consequences of a successful Kerberoasting attack can be severe:

  • Privileged Access: Attackers may gain access to sensitive applications, file servers, or databases by compromising high-privilege service accounts.
  • Lateral Movement and Domain Escalation: With service account credentials, attackers can pivot across the network and escalate privileges up to Domain Admin.
  • Data Breaches and Operational Disruption: Exfiltration of data or the compromise of core systems can lead to significant financial and reputational damage.

Environments with weak password policies, poor SPN management, and inadequate monitoring are particularly vulnerable.

Final Thoughts

Kerberoasting is a powerful and stealthy attack vector that takes advantage of common misconfigurations in Active Directory. Although the method is technically straightforward, its impact can be devastating if proper defenses are not in place.

To defend against Kerberoasting effectively, organizations must adopt a defense-in-depth strategy: strong password policies, modern service account management (like gMSAs), tight privilege controls, and continuous monitoring.

Ultimately, Kerberoasting is not just a technical risk—it’s a sign of deeper weaknesses in identity and access management. Addressing it requires not only the right tools but also the right mindset toward securing your Active Directory infrastructure.

Published

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.