Kerberoasting

Info

This note is still in development.

TL;DR

---

Kerberoasting is a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”), which happens to be all domain service accounts by design.

Any user with a valid TGT and permission to access the service can request a Service Ticket for any service with an SPN. This Service Ticket is signed with the NTLM password hash of the service account, which attackers can then crack the encrypted passwords offline to gain unauthorized access.

Once the plaintext credentials of the service account are obtained, the adversary can impersonate the account owner and inherit access to any systems, assets or networks granted to the compromised account.