Kerberoasting and Silver Tickets

Kerberoasting is an attack allowing an attacker to crack Active Directory (AD) service account passwords offline, and with no fear of detection. 

Developed by Tim Medin, Kerberoasting relies on the fact that when an AD user requests access to a service, they receive back a Kerberos ticket signed with the NTLM hash of the account running the service, which an attacker can steal — even if they are a regular domain user — and crack elsewhere.

With that service account password in hand, one can then forge a “silver ticket” for that service, creating opportunities for privilege escalation.

Continue reading “Kerberoasting and Silver Tickets”