top of page
Search

Understanding Kerberoasting: Techniques for Exploiting Service Accounts in Active Directory

  • May 3
  • 3 min read
Silhouette of a person using a laptop by a misty window with pink neon lights. Reflection in water adds a moody atmosphere.

Kerberoasting is a powerful attack technique targeting service accounts in Active Directory (AD). It allows attackers to request Kerberos tickets encrypted with the NTLM hash of service account passwords. These tickets can then be cracked offline, bypassing account lockout policies and exposing sensitive credentials. This post explains how Kerberoasting works, the key elements that make accounts vulnerable, and practical steps attackers use to exploit this weakness. Understanding these details helps defenders better protect their environments.




What Makes Service Accounts Vulnerable to Kerberoasting


Kerberoasting targets user accounts configured as service accounts. These accounts have the servicePrincipalName (SPN) attribute set. The SPN links the account to a service running on a server, such as an IIS web service or SQL Server. When a domain user requests a Kerberos ticket for that service, the ticket is encrypted using the NTLM hash of the service account’s password.


Key points about vulnerable accounts:


  • Only accounts with the servicePrincipalName attribute set are susceptible.

  • These accounts often run services and may have high privileges.

  • The password hash used for ticket encryption can be cracked offline without triggering account lockouts.


Attackers focus on enumerating these accounts to identify potential targets for Kerberoasting.


How Attackers Identify Vulnerable Accounts


Attackers use various tools and commands to find accounts with SPNs. Here are some common methods:


  • PowerShell Enumeration

Using built-in PowerShell commands, attackers can extract accounts with SPNs:

Get-ADObject | Where-Object {

$_.servicePrincipalName -ne $null -and

$_.distinguishedName -like "CN=Users" -and

$_.cn -ne "krbtgt"

}


This command filters out the krbtgt account and focuses on user accounts in the Users container.


  • Setspn Utility

Native Windows tool setspn can query SPNs across the domain


  • Linux Tools like bloodyAD

On Linux, attackers may use tools like bloodyAD to perform LDAP queries:



python bloodyAD.py -u '$user' -p '$password' -d '$domain' --host '$host' get search --filter '(&(!(cn=krbtgt))(&(samAccountType=805306368)(servicePrincipalName=*)))' --attr sAMAccountName | grep sAMAccountName | cut -d ' ' -f 2



This variety of methods allows attackers to gather a list of accounts that can be targeted for Kerberoasting.


Requesting and Extracting Kerberos Tickets


Once attackers identify service accounts with SPNs, they request Kerberos Ticket Granting Service (TGS) tickets for those accounts. These tickets are encrypted with the NTLM hash of the service account’s password and stored in memory.


Example PowerShell snippet to request a ticket:

Add-Type -AssemblyName System.IdentityModel



The ticket can then be extracted and saved to a file for offline cracking. Attackers often set up a listener to capture the ticket data:



This approach avoids triggering account lockouts because the cracking happens offline, away from the domain controller.


Cracking Kerberos Tickets Offline


The extracted ticket contains the encrypted hash of the service account password. Attackers use password cracking tools such as Hashcat or John the Ripper to recover the plaintext password.


  • Offline cracking allows attackers to try many password guesses without alerting security systems.

  • Weak or reused passwords on service accounts increase the chances of success.

  • Once cracked, attackers gain access to the service account credentials, which often have elevated privileges.


Defending Against Kerberoasting Attacks


Understanding how Kerberoasting works helps defenders reduce risks. Here are practical defense strategies:


  • Limit SPN Assignments

Only assign SPNs to accounts that absolutely need them. Avoid using high-privilege accounts as service accounts.


  • Use Strong, Complex Passwords

Service accounts should have long, complex passwords that resist offline cracking.


  • Monitor for Unusual Ticket Requests

Detect spikes in TGS requests or requests for unusual service accounts.


  • Implement Managed Service Accounts

Use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) that automatically manage passwords.


  • Regularly Audit SPNs and Service Accounts

Identify and remove stale or unnecessary SPNs and accounts.


Summary


Kerberoasting exploits a specific weakness in how Kerberos tickets are encrypted for service accounts with SPNs. Attackers enumerate these accounts, request encrypted tickets, and crack them offline to steal credentials. This method bypasses traditional account lockout protections, making it a stealthy and effective attack.


By understanding the attack flow - from identifying vulnerable accounts to extracting and cracking tickets - security teams can better defend Active Directory environments. Regular audits, strong password policies, and monitoring are key to reducing the risk of Kerberoasting.


Taking proactive steps today helps prevent attackers from gaining a foothold through service account exploitation.


Comments

bottom of page