Kerberoasting: A Real Threat of Mythological Proportions


In Greek mythology, Kerberos (also spelled Cerberus) is the three-headed hound who guards the gates of Hades. Kerberos also has a snake for a tail, snakes protruding from his body, and eyes that flash fire. He’s not the sort of creature one would want to encounter.

That’s why computer scientists at MIT chose the name Kerberos for a network authentication protocol that uses symmetric key cryptography and authenticates users through a trusted third party. When a client requests authentication, the third party verifies the client’s credentials and sends an encrypted service ticket containing those credentials along with a session key. The client sends the ticket to the resource it wants to access, and the third party verifies that the client may access the resource. A session key for the service is sent to the client, which forwards it to the service.

Because Kerberos provides much stronger defense than earlier authentication techniques, it has been widely adopted. Kerberos is used by Microsoft Windows, some Unix and Linux versions, many websites, and cross-platform single sign-on solutions. But because it is widely used, it is frequently the target of cyberattacks.

Hackers have been able to exploit a number of weaknesses. For example, a technique known as “Kerberoasting” takes advantage of the authentication process used by Windows service accounts to obtain passwords for those accounts. Just like any user, service accounts are assigned credentials that control which resources each service can access. If those credentials are compromised, a hacker can gain access to those resources.

In a Kerberoasting attack, the hacker scans Active Directory looking for service accounts, then uses the name of a service to request a ticket from the third party. The hacker then saves the ticket to a file and uses brute force to crack the encryption. The service account password can then be read in plain text.

Don’t let the brute force nature of the attack fool you. Kerberoasting is almost impossible to detect because most of the dirty work is done offline.

Once a service account password is obtained, a hacker can move laterally through a network to obtain other credentials and use privilege escalation to gain access to the most sensitive systems. The risk associated with this form of attack is compounded because service accounts in many organizations have simple, easy-to-remember passwords and greater privileges than they need.

To minimize the risk of Kerberoasting, organizations should assign a unique, complex password for each service account and change passwords frequently. CyberArk’s Enterprise Password Vault can help secure and automatically rotate service account passwords on a regular basis.

CyberArk Privileged Threat Analytics can help to identify malicious behavior associated with a Kerberoasting attack. The solution collects data from multiple sources and applies a complex combination of statistical and deterministic algorithms to identify malicious privileged activity.

Clango’s CyberArk-certified consultants and engineers can help you develop a comprehensive strategy for securing service accounts, application accounts, and other credentials used by hardware and software. Just as Kerberos guarded the underworld, our expertise plus CyberArk tools can protect against Kerberoasting attacks.


For more information about INSERT, please send us an email at (

Comments Closed.