Kerberoasting without SPNs

Service principal names (SPNs) are records in an Active Directory (AD) database that show which services are registered to which accounts:

An example of an account that has SPNs

If an account has an SPN or multiple SPNs, you can request a service ticket to one of these SPNs via Kerberos, and since a part of the service ticket will be encrypted with the key derived from the account’s password, you will be able to brute force this password offline. This is how Kerberoasting works.

There is a way to remove the need for SPNs in this attack. I’ll show how it could be done, how it works, and when it could be useful.

Continue reading