What is Kerberoasting and how does it work?

Kerberoasting is a domain penetration technique where an attacker obtains a service ticket (TGS) for a service running under a domain user account, then cracks the ticket offline to recover the account's plaintext password. The attack exploits the Kerberos authentication process: any domain user can request a TGS for any service, and the TGS is encrypted with the NTLM hash of the service account's password, allowing brute-force cracking. For a full breakdown, see Domain Penetration - Kerberoasting.