Kerberoasting for People Who Hate Kerberos

Kerberos is the authentication protocol Active Directory runs on, and everyone who meets it goes through the same three stages: confusion, deeper confusion, and then a single clean moment where it makes sense and you get a little angry that it was explained to you so badly the first time. This is written from the other side of that moment, mostly so I never have to sit through stage two again.

Here is Kerberos without the diagrams that always made it worse. When you want to use a service in the domain, the domain hands you a ticket for that service. That ticket is encrypted with the password hash of the account the service runs under. That is the whole detail that matters: the ticket is locked with the service account’s password.

Now the attack, which is almost insulting once you see it. Any authenticated user, even a nobody account, is allowed to request a ticket for any service. The domain just hands it over. So you ask for a ticket for a service that runs under a juicy account, you get back a blob encrypted with that account’s password hash, and you take it offline and let hashcat throw a few hundred million guesses a second at it until the password falls out. The domain never sees the guessing. You are not knocking on the door anymore. You took the lock home.

That is Kerberoasting. It works because service accounts often have passwords set by a human in 2014 who figured “it is just a service account” and used something hashcat eats for breakfast.

kerbrute-py is my thin wrapper around impacket that makes the user enumeration and AS-REP roasting readable instead of cryptic. The full chain against GOAD: request the ticket, extract the hash, crack it, log back in as the account, smile. Every command documented, because the documentation is the deliverable, not the dopamine.

I still think Kerberos is overcomplicated. But I do not hate it. You cannot hate something you understand. You can only resent how long it took to get explained properly.