.png)
What is Kerberoasting?
Kerberoasting extracts service account password hashes from Active Directory for offline cracking. Learn how this common lateral movement technique works and how to defend against it.
How Kerberoasting Works
Kerberos authentication allows any authenticated user to request a service ticket for any service registered with a Service Principal Name in Active Directory. The service ticket is encrypted with the service account's password hash. An attacker who has initial domain access requests service tickets for all accounts with SPNs, receives encrypted tickets, and then attempts to crack the encryption offline to recover the plaintext passwords.
The offline nature of the attack is significant: the cracking occurs on attacker-controlled hardware, using GPU-accelerated password cracking tools, without generating authentication failures in the target environment. The only observable activity in Active Directory logs is service ticket requests, which occur constantly during normal operations and are difficult to distinguish from legitimate requests.
Service Account Vulnerabilities
Service accounts are disproportionately vulnerable to Kerberoasting for two reasons: they frequently have weak passwords set years ago that have never been rotated, and they frequently have excessive privileges accumulated over time. A service account with Domain Admin privileges and a password set in 2018 that has never been changed represents one of the highest-value targets in an Active Directory environment. Kerberoasting these accounts provides high-privilege credentials that enable complete domain compromise.
Defense Against Kerberoasting
The primary defenses are password length and complexity for service accounts, and managed service accounts that automatically rotate their passwords. Service accounts with passwords of 25 characters or more are computationally impractical to crack through Kerberoasting regardless of GPU resources. Microsoft Group Managed Service Accounts automatically rotate service account passwords and are the recommended approach for new service account deployments. Restricting service account privileges to the minimum necessary eliminates the value of any accounts that are successfully cracked.
Real-World Example: Kerberoasting in Ransomware Campaigns
Cloudskope's Active Directory security assessments consistently find Kerberoasting vulnerabilities in client environments. In one engagement for a PE-backed manufacturing company, 23 service accounts were found vulnerable, including three with Domain Admin privileges and passwords that had not been rotated in over four years. During the assessment's penetration testing phase, all 23 passwords were cracked within 48 hours using standard GPU resources. The finding represented a complete domain compromise path from any standard user account.
Of enterprise Active Directory environments contain at least one service account vulnerable to Kerberoasting — meaning most organizations have credentials that can be extracted and cracked offline by any authenticated domain user.