ExplainTheHack
← Back to Identifying Kerberoastable Service Accounts

Identifying Kerberoastable Service Accounts Brief

What It Is

A targeted discovery technique that identifies user-based accounts with Service Principal Names (SPNs) in AD — the accounts whose TGS tickets can be requested and cracked offline. This step determines whether Kerberoasting will be productive and where to focus the effort.

Preconditions

Any authenticated domain user. SPNs are stored as attributes readable by any user via LDAP. No elevated privileges required to enumerate every SPN in the directory.

Attacker Gain

A prioritized target list: for each SPN-bearing user account, the attacker assesses group memberships (privilege level), pwdLastSet (password age), account status (active/disabled), and SPN value (service role). A Domain Admin service account with a 3-year-old password is a critical target; a low-privilege account with a recent rotation is noise.

Key Distinctions

  • User accounts vs computer accounts — only user-based SPNs are viable targets; computer passwords are 120+ characters and uncrackable
  • SPN = targeting signal — its presence means the KDC will issue a crackable TGS ticket for that account
  • pwdLastSet — accounts unchanged for years are higher-priority cracking targets
  • gMSAs — auto-rotated 120-char passwords; not Kerberoastable; their presence indicates mature account management
  • Targeted Kerberoasting — if you have write access (GenericAll/GenericWrite), you can set an SPN on any account

Stakeholder Explanation

Before cracking service account passwords, an attacker identifies which accounts are vulnerable and which would grant the most access. Any employee-level account can query your directory for this information. The fix is converting to automatically managed passwords (gMSAs) and enforcing strong, regularly rotated passwords on the rest.

Common Pitfalls

  • Jumping to Kerberoasting without target prioritization — running tools with defaults shows tool knowledge, not operator judgment
  • Not distinguishing user-based from computer-based SPNs — computer accounts are not viable targets
  • Treating all Kerberoastable accounts as equally valuable — assess both crackability and impact
  • Ignoring gMSA presence — it narrows the target set and signals environment maturity