BIPI
BIPI

Kerberoasting from Zero to Domain Admin: Practical AD Attack Path

Cybersecurity

A field guide to Kerberoasting in modern AD estates, from SPN discovery and ticket extraction to hashcat cracking, OPSEC, and the controls that actually stop it.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 26, 2024 · 11 min read

#active-directory#kerberos#red-team#pentest

Kerberoasting is the cheapest Domain Admin path in most Windows estates. Any authenticated user can request service tickets for accounts with a Service Principal Name, take those tickets offline, and crack the password material at leisure. No exploit, no elevation, no shell. Just RFC-compliant Kerberos behaviour.

We still see it work on the first day of nearly every internal engagement. This post walks through the attack the way we run it on real networks, including the enumeration, ticket extraction, cracking choices, and the controls that actually move the needle.

78%
Internal engagements with at least one crackable SPN
11h
Median crack time for a 9-char service account
0
Privileges required to request a ticket

Step 1: Find SPNs without alerting anyone

Kerberoastable accounts are any user objects with a non-null servicePrincipalName attribute. From a low-privilege foothold, the simplest path is an LDAP query. PowerView, ldapsearch, or a quiet impacket GetUserSPNs call all produce the same list.

  • GetUserSPNs.py corp.local/lowuser:Password1 -dc-ip 10.0.0.10
  • Rubeus.exe kerberoast /stats for distribution and password age
  • ldapsearch with (&(samAccountType=805306368)(servicePrincipalName=*)) for stealthier recon

Filter aggressively. Accounts with PasswordLastSet older than five years are usually legacy SQL or vendor service accounts, and those are the ones that crack.

Step 2: Request and extract tickets

Once you have a target list, request TGS-REP tickets for each SPN. Impacket and Rubeus both produce hashcat-ready output. Prefer RC4 (etype 23) where possible because it cracks orders of magnitude faster than AES, and many service accounts still have msDS-SupportedEncryptionTypes leaving RC4 enabled.

  • GetUserSPNs.py -request -outputfile spns.hash -usersfile targets.txt
  • Rubeus.exe kerberoast /outfile:spns.hash /nowrap /aes (to also pull AES if RC4 is disabled)
  • Avoid /tgtdeleg on monitored hosts, it leaves a delegated TGT in lsass

Step 3: Crack offline

Hashcat mode 13100 for RC4, 19700 for AES256. A modern GPU rig chews through ten million guesses per second on RC4. Start with a tuned wordlist plus best64 rules, then escalate to OneRuleToRuleThemAll and hybrid masks. Most successful cracks land on a season plus year, a product name plus a digit, or a vendor default that was never rotated.

If a service account was set ten years ago and never rotated, the password is almost always crackable. Length policy on humans does not save service accounts.

Step 4: Use the cracked credential

A cracked service account often has rights that are wildly disproportionate to its job. We routinely find them in Domain Admins, in DCSync-capable groups, or with WriteDACL across an OU. BloodHound the credential before you do anything noisy. The Kerberoast edge plus a Shortest Path To Domain Admins query usually shows the next two hops in advance.

Detection surface

Kerberoasting is detectable but rarely detected. The signal is Event ID 4769 with ticket encryption type 0x17 (RC4) from a workstation source IP, fired against many service accounts in a short window. Most SIEM rules require both the RC4 marker and a volume threshold. Attackers who request one ticket per hour stay below most thresholds.

What actually stops it

  1. Replace privileged service accounts with Group Managed Service Accounts (gMSAs). gMSAs auto-rotate 240-bit passwords every 30 days and cannot be Kerberoasted at human-crackable cost.
  2. Force AES-only via msDS-SupportedEncryptionTypes = 0x18 on every service account that supports it.
  3. Audit servicePrincipalName values on privileged accounts. A Domain Admin should never have an SPN.
  4. Detection: 4769 with etype 0x17 plus distinct SPN count over 8 in 5 minutes, scoped to non-DC sources.
  5. Rotate legacy service account passwords on a 12-month cadence and enforce 25+ character length.

Kerberoasting is not a clever attack. It is a configuration debt that has compounded for two decades across most Windows estates. The vulnerability is operational, not technical, and so is the fix.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.