Skip to content

Walk me through Kerberoasting — how it works, why it's possible, and how defenders stop it.

Short answer

Any authenticated domain user can request a Kerberos service ticket (TGS) for any account with an SPN. That ticket is encrypted with the service account's NTLM password hash, so you extract it and crack the password offline — no privileged access needed to start, and it's near-silent.

Kerberoasting is one of the most reliable Active Directory attacks because it abuses Kerberos working exactly as designed. It needs only a single valid domain account to begin, which is why it's a staple of internal engagements.

How Kerberos sets it up

In Kerberos, services are identified by a Service Principal Name (SPN). When a user wants to use a service, the Key Distribution Center issues a TGS (service ticket) encrypted with the service account's password hash (its NTLM/RC4 key, or AES key). The idea is that only the legitimate service, which knows its own password, can decrypt and validate the ticket.

The abuse

The flaw is who's allowed to ask. Any authenticated domain user can request a TGS for any SPN — the KDC doesn't check whether you're actually authorized to use that service. So an attacker:

  1. Enumerates accounts with SPNs (often regular user accounts running services — SQL, IIS, etc.) via LDAP.
  2. Requests TGS tickets for them (tools: Rubeus, Impacket's GetUserSPNs.py).
  3. Extracts the encrypted ticket and cracks it offline with Hashcat. If the service account's password is weak, it falls in hours.

Crucially the cracking happens offline, so there are no failed logons, no lockouts, and minimal noise. Attackers often request RC4 (etype 23) tickets because they're faster to crack than AES.

Why service accounts are the prize

Service accounts frequently have old, non-expiring, weak passwords and are over-privileged — sometimes domain admins. Crack one and you may jump straight to high privilege.

Defenses

  • Use long, random passwords (25+ chars) for service accounts, or group Managed Service Accounts (gMSAs) which rotate automatically.
  • Enforce AES and disable RC4 where possible.
  • Least-privilege the service accounts.
  • Detect Event ID 4769 spikes, especially RC4 ticket requests from a single user.

What interviewers look for

That you explain why it works (anyone can request a TGS, offline cracking = stealth), name real tooling, flag the RC4 angle, and pivot cleanly to gMSAs and 4769 monitoring as the fix.

Likely follow-ups

  • Why does requesting RC4-encrypted (etype 23) tickets make cracking easier?
  • What makes service accounts such good targets, and how do gMSAs help?
  • How would a defender detect Kerberoasting in their logs?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.