0Pricing
Cyber Security Academy · Lesson

Kerberos and Kerberoasting

Cracking service account tickets.

Kerberos in One Picture

Kerberos is a ticket-based authentication protocol. Instead of sending passwords, clients present cryptographic tickets issued by the Key Distribution Center (KDC), which runs on every Domain Controller.

  • The Authentication Server (AS) issues a Ticket Granting Ticket (TGT).
  • The Ticket Granting Server (TGS) issues service tickets.
  • Services validate tickets without contacting the DC.

The Three Exchanges

Kerberos has three message exchanges. Understanding them reveals where attacks fit.

  • AS-REQ / AS-REP: client proves identity (pre-auth) and gets a TGT encrypted with the krbtgt key.
  • TGS-REQ / TGS-REP: client presents the TGT to request a service ticket (TGS).
  • AP-REQ / AP-REP: client presents the TGS to the service.

AS-REP roasting attacks the first exchange; Kerberoasting attacks the second.

All lessons in this course

  1. Active Directory Attack Surface
  2. Kerberos and Kerberoasting
  3. Pass-the-Hash and Pass-the-Ticket
  4. Privilege Escalation and Domain Dominance
← Back to Cyber Security Academy