What is Kerberoasting in Active Directory?

Kerberoasting is an Active Directory post-exploitation technique where an attacker requests service tickets (TGS) for accounts with Service Principal Names (SPNs) and cracks their passwords offline.

How do you mitigate LLMNR poisoning?

To mitigate LLMNR and NBT-NS poisoning, disable these legacy protocols directly via Group Policy Objects (GPOs) and enforce SMB Signing across the network forest.

Active Directory Exploitation Guide

⚡ Active Directory Penetration Triage

Active Directory (AD) continues to act as the primary enterprise identity management framework. However, legacy configurations and complex trust structures often leave AD environments exposed to catastrophic domain takeover pathways. This guide reviews key exploitation vectors and practical mitigations.

1. The Kerberos Authentication Loop

Active Directory relies heavily on the Kerberos protocol to authenticate users and grant access to network assets. Inside a Kerberos loop, when a user requests access to a network resource (such as a database server), they request a Ticket Granting Service (TGS) ticket from the Key Distribution Center (KDC). The KDC generates a ticket encrypted using the cryptographic hash of the Service Account under which the target resource runs.

Because this ticket is sent directly to the requesting user's client machine, any authenticated domain user can request a TGS ticket for any service that possesses a Service Principal Name (SPN). This architectural setup introduces severe vulnerability vectors like Kerberoasting.

2. Kerberoasting and AS-REP Roasting

In a **Kerberoasting** attack, an attacker requests TGS tickets for target service accounts, extracts the ticket data from host memory, and carries it offline to execute rapid GPU brute-force attacks. If the target service account uses a weak or predictable password, the attacker quickly cracks the hash, acquiring complete account credentials.

Similarly, **AS-REP Roasting** targets domain accounts that do not require Kerberos pre-authentication. An attacker sends an authentication request to the domain controller pretending to be the target user. The controller returns an AS-REP ticket encrypted using the user's password hash. The attacker captures this response and cracks it offline.

# Threat Vector: Requesting TGS ticket for Kerberoasting
Rubeus.exe kerberoast /simple /outfile:hashes.txt

3. Defensive Active Directory Hardening

Securing Active Directory requires mapping internal trust relationships and path boundaries. Incident responders utilize tools like BloodHound to locate domain administrative paths and identify hidden privileges that allow attackers to escalate their permissions.

To defend against Kerberos-based attacks, organizations should transition service accounts to Group Managed Service Accounts (gMSAs). These accounts utilize massive, 240-character passwords rotated automatically by the domain controller, making offline cracking impossible.

🛡️ Active Directory Hardening Checklist:

Transition all service accounts to Group Managed Service Accounts (gMSAs) immediately.
Enforce Kerberos pre-authentication across all active domain user accounts.
Run routine BloodHound analyses to map and tear down circular administrative pathways.
Enable extensive monitoring on active Directory Controllers for event ID 4769 (TGS requested).

Frequently Asked Questions

What is Kerberoasting?

Kerberoasting is an offline password cracking attack targeting Kerberos TGS tickets requested by local domain users, aimed at acquiring the cleartext password of service accounts.

How does a gMSA account protect Active Directory?

Group Managed Service Accounts (gMSAs) utilize complex, 240-character random passwords managed automatically by Windows, rendering GPU-based offline dictionary attacks completely useless.

Penetration Testing: Active Directory Exploitation