Research · Active Directory

Kerberoasting Attack Chain

Kerberoasting remains one of the most reliable privilege-escalation primitives in modern Active Directory. This research walks the full attack chain — from minimal domain access to crackable service-account hashes — and pairs each step with the detection opportunity defenders should be wiring up.

Kerberos Impacket Hashcat SPNs Published 5 Jul 2025

Overview

Kerberoasting abuses a legitimate Kerberos design decision: any authenticated user can request a service ticket (TGS) for any account with a registered servicePrincipalName. The returned TGS is encrypted with the service account's NTLM hash, allowing offline brute-force against the password without ever interacting with the account directly.

Attack Chain

  1. Foothold: any low-privileged domain user account.
  2. SPN discovery: enumerate accounts with SPNs via LDAP or PowerView.
  3. Ticket request: request TGS tickets for high-value SPNs.
  4. Extraction: dump tickets in Hashcat-compatible format.
  5. Cracking: offline brute-force with rule-based attacks.
  6. Pivot: use cracked credentials for lateral or vertical movement.

Representative tooling — Impacket from a Linux pivot:

impacket-GetUserSPNs -request \
    -dc-ip <dc-ip> \
    <domain>/<user>:<password>

And cracking with Hashcat:

hashcat -m 13100 -a 0 hashes.txt rockyou.txt -r rules/best64.rule

Detection Telemetry

  • Event ID 4769 on domain controllers — focus on RC4-HMAC tickets (encryption type 0x17) and unusual ServiceName patterns.
  • Single source workstation requesting many distinct service tickets in a short window.
  • Service tickets requested for high-value SPNs by accounts with no business need.
  • Honey SPN accounts wired straight to high-fidelity alerts.

Hardening Recommendations

  1. Force AES-only encryption on service accounts (msDS-SupportedEncryptionTypes) — eliminates the RC4-HMAC fast path.
  2. Use group Managed Service Accounts (gMSA) wherever possible — passwords are 240-character random and rotated automatically.
  3. Audit and remove unnecessary SPNs.
  4. Enforce strong, unique passwords (≥25 chars) on remaining service accounts.
  5. Deploy honey SPNs and tune the SIEM detections above to high fidelity.
Defender takeaway: The attack is cheap because the request is legitimate. The crack is what makes it expensive — strong passwords + AES-only => Kerberoasting becomes economically unviable.
← Back to Writeups Read: AD Enumeration Workflow