Although modern Active Directory environments provide graphical management tools, security analysts and attackers alike rely heavily on command-line tools and scripts to interact with the domain. Kerberos, the core authentication protocol in AD, is often targeted through attacks like AS-REP Roasting, Kerberoasting, and Password Spraying to obtain password hashes or test credentials.
What is Kerberos in Active Directory? Kerberos is a network authentication protocol used in Active Directory to securely verify users and services. It issues tickets encrypted with account credentials for authentication, allowing users to access resources without transmitting passwords in plaintext.
While Kerberos is secure in theory, misconfiguration or weak passwords can be exploited to perform offline or online attacks. Understanding these attack techniques, the tools used, and how to detect them via Windows Event IDs is critical for administrators.
AS-REP Roasting
AS-REP Roasting targets user accounts without Kerberos preauthentication enabled. Preauthentication requires the client to prove knowledge of the password before the domain controller issues a ticket. If disabled, attackers can request an AS-REP message and attempt offline cracking.
How it works:
- Attacker sends a AS-REQ request for the target account.
- Domain controller returns AS-REP, encrypted with the user’s password hash.
- Attacker attempts offline brute-force or dictionary attacks to recover the password.
Tools used:
- Impacket (GetNPUsers.py) – extract AS-REP responses.
- Rubeus – Windows post-exploitation toolkit to request AS-REP tickets.
Relevant Event IDs (EID):
- 4768 — Ticket Granting Ticket (TGT) request.
- 4771 — Failed Kerberos pre-authentication attempts (absence of preauth may indicate AS-REP Roasting).
Key points:
- Works offline; minimal traces in logs.
- Typically targets legacy or service accounts.
Kerberoasting
Kerberoasting targets service accounts with a Service Principal Name (SPN) registered in AD. Attackers request service tickets (TGS) encrypted with the service account password hash.
How it works:
- Attacker enumerates service accounts with SPNs via LDAP.
- Requests TGS tickets for these accounts.
- Extracts the hashes from TGS tickets and cracks them offline.
Tools used:
- Impacket (GetUserSPNs.py) – enumerate SPNs and request TGS.
- Rubeus – extract TGS tickets from memory or via requests.
- PowerView / PowerShell Empire – reconnaissance and extraction of tickets.
Relevant Event IDs (EID):
- 4769 — TGS ticket request (suspicious if targeting many service accounts).
- 4776 — Credential validation events.
Key points:
- Offline attack; no immediate alert for failed login attempts.
- Strong random service account passwords mitigate this risk.
Password Spraying
Password Spraying is an online attack where attackers attempt a small set of common passwords across many accounts, avoiding account lockouts.
How it works:
- Attacker selects a few common passwords (e.g., Password123!, Welcome2024).
- Tries each password against many user accounts.
- Monitors for successful logins or MFA bypass.
Tools used:
- Hydra — online password brute-force.
- CrackMapExec (CME) — password spraying on AD.
- Metasploit modules — brute-force login attempts.
- PowerShell scripts (e.g., Spray.ps1) — automated spraying.
Relevant Event IDs (EID):
- 4625 — Failed login attempts (look for distributed attempts).
- 4768 / 4769 — TGT/TGS requests (monitor for abnormal spikes).
Key points:
- Online attack; visible in logs.
- Effective against weak or default passwords.
Cheat Sheet
| Attack | Target | Tools | Offline/Online | Key Event IDs |
|---|---|---|---|---|
| AS-REP Roasting | Users without preauth | Impacket, Rubeus | Offline | 4768, 4771 |
| Kerberoasting | Service accounts with SPN | Impacket, Rubeus, PowerView | Offline | 4769, 4776 |
| Password Spraying | All users | Hydra, CrackMapExec, Metasploit, PowerShell | Online | 4625, 4768, 4769 |
Mitigation Strategies
- Enable Kerberos preauthentication for all users.
- Use strong, randomly generated passwords for service and user accounts.
- Deploy MFA/2FA to prevent compromise via stolen credentials.
- Monitor Event IDs for unusual authentication patterns or spikes in failed logins.
- Apply least privilege principle to service accounts.
Conclusion
Kerberos attacks like AS-REP Roasting, Kerberoasting, and Password Spraying exploit configuration weaknesses or weak passwords to compromise Active Directory accounts. Security analysts must understand the attack flow, tools used, and relevant Event IDs to detect and prevent these attacks. Implementing strong passwords, MFA, preauthentication, and careful monitoring of AD logs are critical for protecting enterprise environments.
