Kerberoasting is an attack against Active Directory service accounts that uses normal Kerberos functionality to obtain encrypted service tickets, which can then be cracked offline . If the password for the targeted service account is weak, the attacker may recover it without ever interacting with the account directly.
In a Windows domain, services such as SQL Server or Exchange often run under dedicated domain accounts with Service Principal Names (SPNs) registered in Active Directory. Any authenticated domain user can request a Kerberos service ticket for one of those accounts. That ticket is encrypted using RC4-HMAC, keyed directly from the NTLM hash of the service account’s password. The attacker extracts the ticket and uses offline password-cracking tools to test candidates until one produces a key that successfully decrypts it.
The attack is low-noise and low-risk from an attacker’s perspective, where requesting service tickets is normal domain behaviour and so the initial step does not necessarily appear suspicious. The cracking happens entirely offline, meaning no repeated logon attempts, no account lockouts, and little chance of detection unless the organisation is specifically monitoring for unusual ticket request patterns or anomalous use of RC4 encryption.
The impact depends on the privileges of the cracked account. In many environments, service accounts are overprivileged and may have local administrator rights across multiple servers, access to databases, or delegated control within Active Directory. A single weak service account password can therefore become the starting point for privilege escalation and lateral movement across the wider domain.
Kerberoasting is a routine test during internal penetration testing because it reflects a realistic post-compromise technique used against Windows environments. Migrating service accounts to Group Managed Service Accounts (gMSAs), which automatically rotate to a 120-character random password, makes the attack computationally infeasible regardless of whether a ticket is obtained.