Attacking Kerberos

Overview

Kerberos is the default authentication protocol in Microsoft Active Directory. It improves on NTLM by using tickets, stronger cryptography, and a trusted third party for authentication, but it still exposes multiple attack paths when accounts, tickets, and service configuration are weak.

This writeup covers the practical attack surface: user enumeration, ticket harvesting, password spraying, Kerberoasting, AS-REP Roasting, Pass-the-Ticket, forged tickets, and skeleton key abuse. The goal is to understand what each attack needs, what it produces, and why defenders should care.

Core Kerberos Terms

• Ticket Granting Ticket (TGT): Used to request service tickets from the KDC.
• Key Distribution Center (KDC): Domain service that issues TGTs and service tickets.
• Authentication Service (AS): Handles the initial request for a TGT.
• Ticket Granting Service (TGS): Issues service tickets after validating a TGT.
• Service Principal Name (SPN): Identifier that links a service instance to an account.
• KDC Long Term Key: Based on the krbtgt account and used to protect TGTs.
• Client Long Term Key: Based on the user, computer, or service account secret.
• Service Long Term Key: Used to encrypt the service side of a ticket.
• Session Key: Shared key issued with a TGT or service ticket for later exchanges.
• Privilege Attribute Certificate (PAC): Contains identity and authorization data for the user.

Authentication Flow

1. AS-REQ: The client asks the KDC for a TGT.
2. AS-REP: The KDC validates the client and returns an encrypted TGT.
3. TGS-REQ: The client presents the TGT and requests a service ticket for an SPN.
4. TGS-REP: The KDC issues the service ticket if validation succeeds.
5. AP-REQ: The client presents the service ticket to the target service.
6. AP-REP: The service accepts the ticket and grants access.

In practice, attacking Kerberos usually means abusing weak account secrets, reusing issued tickets, or forging tickets after deeper compromise.

Ticket Structure

A TGT is only used to request service tickets. After the KDC validates the user's credentials, it creates the TGT, encrypts it with the krbtgt key, and returns it alongside a session key.

A service ticket has two important parts:

• Service portion: Includes user details and the session key, encrypted with the service account hash.
• User portion: Includes validity details and the session key, protected with the TGT session key.

Attack Prerequisites

• Kerbrute enumeration: No domain access required.
• Pass-the-Ticket: Access to a machine holding useful Kerberos tickets.
• Kerberoasting: Any authenticated domain user.
• AS-REP Roasting: Any authenticated user plus a target with pre-auth disabled.
• Golden Ticket: Full domain compromise, including the krbtgt secret.
• Silver Ticket: Service account hash for the target service.
• Skeleton Key: Domain admin level access to the domain controller.

Kerbrute Enumeration

Kerbrute abuses Kerberos pre-authentication behavior to enumerate valid users without needing a full domain logon. This is useful because it can identify valid accounts while generating less obvious noise than standard authentication failures.

Typical Flow

1. Download a Kerbrute build for your OS.
2. Make it executable.
3. Run user enumeration against the domain controller with a candidate username list.

./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt

The most valuable findings are usually service accounts and any naming conventions you can reuse in later attacks.

Harvesting and Password Spraying with Rubeus

Rubeus is one of the most useful Kerberos attack tools for Windows environments. It supports ticket extraction, roasting, ticket requests, renewals, spraying, and ticket injection.

Harvesting Tickets

Ticket harvesting collects TGTs as they are seen on a host, which can later support Pass-the-Ticket or broader lateral movement.

Rubeus.exe harvest /interval:30

Password Spraying

Rubeus can test a single password across many discovered users. If successful, it can return a usable .kirbi TGT for the compromised account.

Rubeus.exe brute /password:Password1 /noticket

Use this carefully in real environments because lockout policies can quickly turn low-noise testing into an operational problem.

Kerberoasting

Kerberoasting targets accounts with SPNs. Any authenticated user can request a service ticket for those services, extract the encrypted ticket material, and crack it offline to recover the service account password if it is weak enough.

Method 1: Rubeus

Rubeus.exe kerberoast

Rubeus will identify roastable accounts and dump their Kerberos material for offline cracking.

Method 2: Impacket

python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip MACHINE_IP -request

Cracking

hashcat -m 13100 -a 0 hash.txt Pass.txt

If the cracked service account has elevated privileges, the impact can range from service access to broad domain compromise.

Kerberoasting Mitigation

• Use long, unique service account passwords.
• Do not assign domain admin rights to service accounts unless strictly necessary.
• Audit SPNs and service account privilege regularly.
• Monitor for abnormal TGS requests and offline-cracking follow-on activity.

AS-REP Roasting

AS-REP Roasting targets users with Kerberos pre-authentication disabled. In that case, an attacker can request authentication material for the account without proving knowledge of the user's password first, then crack the returned data offline.

Dumping Roastable Hashes

Rubeus.exe asreproast

Preparing and Cracking

Some formats need a small adjustment before cracking with Hashcat.

hashcat -m 18200 hash.txt Pass.txt

This attack is especially dangerous when legacy compatibility or misconfiguration leaves pre-authentication disabled on real user accounts.

AS-REP Roasting Mitigation

• Keep Kerberos pre-authentication enabled unless there is a hard technical requirement not to.
• Enforce strong passwords so recovered material is harder to crack offline.
• Audit accounts with pre-auth disabled and remove that setting where possible.

Pass-the-Ticket

Pass-the-Ticket reuses valid Kerberos tickets already stored in LSASS memory. Instead of cracking a password, the attacker exports a ticket and injects it into another logon session to impersonate the original user.

Export Tickets with Mimikatz

mimikatz.exe
privilege::debug
sekurlsa::tickets /export

Inject a Ticket

kerberos::ptt <ticket>
klist

This is highly effective for privilege escalation and lateral movement when privileged users have authenticated to lower-trust systems.

Pass-the-Ticket Mitigation

• Restrict where privileged administrators can log on.
• Harden and monitor LSASS access.
• Use tiered administration to reduce exposure of privileged tickets.
• Watch for ticket export, injection, and unusual lateral movement patterns.

Golden and Silver Tickets

Forged ticket attacks rely on long-term secrets rather than stolen live tickets. With the krbtgt hash, an attacker can create a golden ticket and effectively mint access for the whole domain. With a service account hash, the attacker can create a silver ticket scoped to a specific service.

Dump the Required Secret

mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt

For a silver ticket, replace krbtgt with the relevant service account.

Create the Ticket

Kerberos::golden /user:Administrator /domain:controller.local /sid:<SID> /krbtgt:<NTLM_HASH> /id:<RID>

Use the Ticket

misc::cmd

Golden tickets are broader and noisier. Silver tickets can be more discreet because they only target a specific service.

Skeleton Key

A skeleton key is a Kerberos backdoor implanted into domain controller memory. Once installed, the domain controller will accept a master password for domain accounts alongside the legitimate NT hash during Kerberos validation.

In Mimikatz, the well-known default password is mimikatz and the technique relies on RC4-related behavior.

mimikatz.exe
privilege::debug
misc::skeleton

This backdoor is memory-resident and does not persist across restart by itself, but it is still extremely dangerous because it gives immediate, covert access across the forest while active.

Defensive Takeaways

• Protect the krbtgt account and service account secrets like crown jewels.
• Keep service accounts low-privilege and rotate them regularly.
• Disable pre-auth exceptions unless they are absolutely required.
• Prevent privileged users from authenticating to low-trust hosts.
• Monitor for abnormal ticket requests, ticket injection, and LSASS access.
• Use hardening, tiering, and detection together rather than relying on one control.

Useful Tools

• Kerbrute: Username enumeration and pre-auth abuse.
• Rubeus: Ticket harvesting, roasting, spraying, and ticket operations.
• Mimikatz: Ticket export, ticket injection, forged tickets, and skeleton key abuse.
• Impacket: Remote Kerberoasting and broader AD tradecraft from Linux.
• Hashcat: Offline cracking for Kerberoast and AS-REP material.