Kerberoasting and Golden Ticket Attacks

To understand Kerberoasting and Golden Ticket attacks, you need a clear picture of Kerberos service ticket issuance. When a client wants to access a service (e.g., an SQL server), it presents its Ticket Granting Ticket (TGT) to the Domain Controller's Ticket Granting Service (TGS). The TGS issues a Service Ticket encrypted with the service account's password hash. The client presents this ticket to the service, which decrypts it with its own hash to verify authenticity. This design means service tickets are encrypted with the target service's credential — a critical detail that Kerberoasting exploits.

Kerberoasting is an attack that exploits the fact that any authenticated domain user can request a Kerberos service ticket for any service registered with an SPN (Service Principal Name). The attacker requests service tickets for accounts with SPNs, captures the encrypted ticket blobs, and then attempts to crack the service account password offline — without any further interaction with Active Directory or any account lockout risk. Service accounts often have weak passwords, old passwords that predate modern complexity requirements, or passwords that never expire, making them highly vulnerable to offline cracking.