**Brief definition**Kerberoasting is an attack where an attacker requests Kerberos service tickets (TGS) for SPN-associated service accounts, extracts the encrypted service ticket, and crackes it offline to recover the service account plaintext password.**Prerequisites**- Valid domain user account (any low-privileged user can request TGS).- Service Principal Names (SPNs) registered to service accounts (often AD service accounts, managed or local).- Target accounts have AES/RC4-encrypted Kerberos tickets (older/weak hashes make cracking easier).**Enumerate SPN-bearing accounts**- Use built-in or common tools:powershell
# PowerView
Get-NetUser -SPN
# setspn
setspn -T domain -Q */*
**Request & capture service tickets**- Request TGS for an SPN to receive an encrypted ticket:powershell
# Rubeus (request TGS)
Rubeus.exe kerberoast /user:svc_account /format:kirbi
# or request all:
Invoke-Kerberoast -Verbose
- Save the ticket (.kirbi or ccache) and export to hash format for cracking.**Why offline cracking**- Tickets contain service account-derived key material (encrypted with account password). Offline cracking avoids noisy network interaction and allows time-intensive attacks against weak passwords.**Detection indicators**- Unusual high-volume TGS requests for many SPNs from a low-privileged account.- Service tickets exported to disk or abnormal processes running Rubeus/Invoke-Kerberoast.- Authentication spikes for accounts with SPNs.**Defensive measures**- Enforce strong, complex, and lengthy passwords for service accounts and use managed/automated rotation.- Prefer gMSA or computer accounts (no user passwords).- Disable RC4; require AES.- Constrained delegation / resource-based constrained delegation where appropriate.- Monitor for TGS request patterns, uncommon service ticket exports, and logging via Kerberos event IDs (4769, 4624 correlation).**Safe lab testing boundaries**- Only test in authorized environments. Use isolated AD lab, non-production accounts, and notify stakeholders. Never capture or crack tickets from production or accounts you don’t own. Keep cracked passwords confidential and follow engagement rules of engagement.