Kerberoasting is an attack technique targeting the Kerberos authentication protocol in Active Directory environments. It allows any authenticated domain user to request service tickets for accounts with Service Principal Names (SPNs) and then crack those tickets offline to reveal plaintext passwords. The attack exploits the fact that TGS tickets are encrypted with the service account's password hash, making weak passwords vulnerable to brute-force cracking.
An attacker with valid domain credentials enumerates accounts that have SPNs registered in Active Directory. They then request TGS tickets for those service accounts through normal Kerberos protocol operations, which raises no alarms since this is standard authentication behavior. The encrypted portion of each ticket is extracted and fed into offline cracking tools such as Hashcat or John the Ripper. If the service account uses a weak or commonly used password, the attacker recovers the plaintext credential. Service accounts often have elevated privileges, giving the attacker significant lateral movement capability.
Kerberoasting is one of the most effective privilege escalation techniques in Active Directory because it requires no special privileges beyond basic domain authentication. Service accounts frequently have weak passwords and excessive permissions, making them high-value targets. Detection is challenging because the ticket requests appear as legitimate Kerberos traffic. Organizations should enforce long, complex passwords on all service accounts, use Group Managed Service Accounts where possible, and monitor for anomalous TGS request patterns targeting multiple SPNs from a single source.