Kerberoasting Brief

Kerberoasting exploits Kerberos service ticket issuance to extract encrypted credential material for offline cracking. Any domain user can request a TGS ticket for any SPN, and the ticket is encrypted with the service account's password hash. Weak passwords can be recovered entirely offline.

A valid domain user account (any privilege level) and at least one user-based service account with a registered SPN. No elevated privileges, no service access, and no interaction with the target service required.

The plaintext password of one or more service accounts. Impact depends on the account's privileges: a Domain Admin service account = full domain compromise. A low-privilege account = limited access. Cracking is offline — no failed logins, no alerts from traditional monitoring.

An attacker with any employee-level account can extract encrypted password material for service accounts and crack those passwords offline, with no interaction with your systems. Service accounts often have far more access than individual employees, and their passwords are rarely changed. The primary defense is automatically managed passwords (gMSAs).

Finding: Kerberoastable Service Accounts with Weak Passwords. TGS tickets were requested for [N] user-based service accounts with SPNs. Offline cracking recovered the password for [account], a member of [group] with [specific access]. Password unchanged for [N] years. Severity: High. Recommendation: Convert to gMSAs. Enforce 25+ character passwords on remaining accounts. Remove unnecessary privileged group memberships.