Attack Vectors
Updated 2025

Kerberos Attack Vectors

Master 16 advanced Kerberos attack techniques used by professional penetration testers and threat actors. This comprehensive guide covers exploitation methods, tools, commands, and defense strategies based on real-world scenarios [^2].

7
Critical Attacks
8
High Severity
7
Professional Tools
6
Attack Categories
Advertisement
Attack Vector Categories
Comprehensive classification of 16 Kerberos attacks by technique, impact, and complexity
3 attacks

Credential Harvesting

Attacks focused on extracting user and service account credentials

1 CriticalView Details
3 attacks

Ticket Manipulation

Attacks that forge or manipulate Kerberos tickets

2 CriticalView Details
3 attacks

Delegation Attacks

Abuse of Kerberos delegation mechanisms

1 CriticalView Details
4 attacks

Privilege Escalation

Attacks that escalate privileges within the domain

3 CriticalView Details
2 attacks

Lateral Movement

Techniques for moving between systems using Kerberos

View Details

Credential Harvesting Techniques

Attacks focused on extracting user and service account credentials

Kerberoasting
CVE
Commands
Extract service account password hashes from TGS tickets
Critical
CVE-2022-33679

Prerequisites

  • Valid domain credentials
  • SPN enumeration

Impact & Consequences

Service account password compromise

kerberoasting attack
service account
spn enumeration

Attack Steps

1
Enumerate SPNs using setspn -T domain -Q */*
2
Request TGS tickets for service accounts
3
Extract RC4/AES hashes from tickets
4
Offline password cracking

Tools & Frameworks

Rubeus
Primary
Impacket GetUserSPNs
PowerView
Invoke-Kerberoast

Mitigation

Use strong passwords for service accounts
Implement Managed Service Accounts (MSA)
Monitor for unusual SPN enumeration
Enable advanced audit logging
ASREPRoasting
CVE
Commands
Extract password hashes from users without Kerberos pre-authentication
High
CVE-2021-42278

Prerequisites

  • Users with 'Do not require Kerberos preauthentication' set

Impact & Consequences

User account password compromise

asreproasting vulnerability
kerberos pre
as-rep hash

Attack Steps

1
Enumerate users with pre-auth disabled
2
Request AS-REP responses for target accounts
3
Extract and crack AS-REP hashes offline
4
Gain access to user credentials

Tools & Frameworks

Rubeus
Primary
Impacket GetNPUsers
PowerView

Mitigation

Enable Kerberos pre-authentication for all accounts
Use strong passwords
Monitor for AS-REP requests
Implement account lockout policies
Password Spraying
Commands
Test common passwords against multiple accounts
Medium

Prerequisites

  • Valid user enumeration

Impact & Consequences

Account compromise, lockout avoidance

password spraying
credential stuffing
account lockout

Attack Steps

1
Enumerate valid usernames
2
Test common passwords (avoid lockout)
3
Monitor failed authentication attempts
4
Target high-value accounts

Tools & Frameworks

Kerbrute
Primary
CrackMapExec
Spray-Passwords

Mitigation

Implement account lockout policies
Monitor for authentication failures
Use complex password requirements
Implement multi-factor authentication
Advertisement
Essential Kerberos Attack Tools
Professional-grade tools used by penetration testers and security researchers for Kerberos assessment

Rubeus

Windows

C# toolset for raw Kerberos interaction and abuses

Key Capabilities:

asktgt: Request TGT with password/hash
asktgs: Request TGS for specific SPN
kerberoast: Perform Kerberoasting attack

+6 more capabilities

Impacket Suite

Cross-platform

Python classes for working with network protocols including Kerberos

Key Capabilities:

GetUserSPNs.py: Kerberoasting
GetNPUsers.py: ASREPRoasting
getTGT.py: Request TGT

+5 more capabilities

Mimikatz

Windows

Advanced Windows credential extraction and manipulation

Key Capabilities:

kerberos::list: List cached tickets
kerberos::ptt: Pass-the-ticket
kerberos::golden: Generate golden tickets

+4 more capabilities

PowerView

Windows PowerShell

PowerShell-based Active Directory enumeration

Key Capabilities:

Get-DomainUser: Enumerate domain users
Get-DomainComputer: Enumerate domain computers
Get-DomainSPNTicket: Request SPN tickets

+3 more capabilities

BloodHound

Cross-platform

Graph-based Active Directory analysis platform

Key Capabilities:

SharpHound.exe: Windows-based collector
bloodhound-python: Python-based collector
azurehound: Azure AD collector

+3 more capabilities

Kerbrute

Cross-platform

Fast Kerberos username and password enumeration

Key Capabilities:

userenum: Enumerate valid usernames
passwordspray: Password spraying attacks
bruteuser: Brute force single user

+1 more capabilities

CrackMapExec

Cross-platform

Network service exploitation framework

Key Capabilities:

SMB with Kerberos authentication
WinRM with Kerberos tickets
LDAP enumeration and attacks

+3 more capabilities

Typical Attack Timeline & Progression
Common progression of Kerberos-based attacks in enterprise environments with real-world examples
1

Initial Access & Reconnaissance

1-7 days

Phishing campaigns, credential stuffing, SPN enumeration, BloodHound analysis

Email phishing
Password spraying
SPN discovery
Domain mapping
2

Credential Harvesting

1-3 days

Kerberoasting, ASREPRoasting, password spraying attacks against service accounts

Kerberoasting
ASREPRoasting
Targeted spraying
Hash cracking
3

Privilege Escalation

Hours to days

DCSync, Zerologon, PrintNightmare, delegation abuse for administrative access

DCSync attacks
CVE exploitation
Delegation abuse
Local escalation
4

Lateral Movement

Ongoing

Pass-the-ticket, overpass-the-hash, cross-domain attacks for network propagation

Pass-the-ticket
Overpass-the-hash
WMI/SMB abuse
RDP hijacking
5

Persistence & Evasion

Long-term

Golden tickets, silver tickets, skeleton keys, advanced evasion techniques

Golden tickets
Backdoor accounts
Registry persistence
Log evasion

Testing Methodology

Learn systematic approaches to test for these attack vectors in enterprise environments

Read Complete Guide

Defense Strategies

Implement comprehensive security controls to prevent and detect these attack techniques

View Hardening Guide

Security Auditing

Audit your Kerberos environment for vulnerabilities and compliance requirements

Start Audit Process

Protect Against These 16 Attack Vectors

Get professional Kerberos security assessment from certified penetration testers. We use the latest techniques and tools to identify vulnerabilities before attackers do. Our team has expertise in all 16 attack vectors covered in this guide.

✓ Certified Penetration Testers    ✓ Enterprise-Grade Assessment    ✓ Detailed Remediation Report