What Is Kerberoasting?

Kerberoasting is a cyberattack that mainly targets Windows networks by exploiting the Kerberos authentication protocol. This attack specifically targets service accounts associated with services rather than individual users within the Active Directory (AD) environment. Attackers leverage Kerberoasting to steal credentials by requesting Ticket-Granting Service (TGS) tickets and then cracking the tickets' encrypted content offline to reveal service account passwords.

What Is Kerberos?

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. It is the default authentication method for Windows Active Directory environments. Kerberos works on the basis of "tickets" that allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

How Does Kerberos Work?

Kerberos operates using a client-server model and relies on a trusted third party to mediate between them. Here are the key steps in the Kerberos authentication process:

1. Authentication Service (AS) Request: The client requests an authentication ticket from the Kerberos Key Distribution Center (KDC).
2. Ticket Granting Ticket (TGT): If the client is verified, the KDC issues a TGT encrypted using the client's password/key.
3. Ticket Granting Service (TGS) Request: To access a particular service, the client uses the TGT to request another ticket from the TGS, a part of the KDC.
4. Service Access: The client presents the service ticket to the service server. The service server verifies the ticket and grants or denies the service.

How Does Kerberoasting Exploit the Kerberos Protocol?

Kerberoasting exploits the TGS part of the Kerberos protocol. Attackers abuse the functionality of the Service Principal Names (SPNs) - identifiers given to services running on servers. Here’s how it works:

• The attacker, who already has basic user credentials, requests TGS tickets for services.
• These tickets are encrypted with the service's password.
• The attacker then extracts these tickets and cracks them offline to discover service account passwords.

How to Detect Kerberoasting?

Detection of Kerberoasting can be challenging due to its reliance on legitimate network functions. However, certain signs can help identify suspicious activities:

• High Volume of TGS Requests: An unusually high number of Ticket Granting Service (TGS) requests may indicate an attempt to request service tickets for offline cracking.
• Anomalies in Service Ticket Requests: Requests for service tickets that do not follow typical user behavior patterns can be a red flag.
• Unusual Access Patterns: Access requests to services at odd hours or from unexpected locations can suggest misuse of stolen credentials.
• Repeated Access Denied Alerts: Multiple failed attempts to use service accounts can indicate an attacker trying to leverage cracked credentials.
• Irregular Service Account Activities: Service accounts performing unusual actions that do not align with their configured permissions or typical behavior could suggest compromised credentials.

How to Respond to a Kerberoasting Attack?

Responding effectively to a Kerberoasting attack involves several key steps to mitigate damage and prevent future incidents:

• Identify Compromised Accounts: Quickly determining which accounts have been compromised is critical to understanding the scope of the attack.
• Isolation of Affected Systems: Isolate compromised systems from the network to prevent further lateral movement or data exfiltration.
• Credential Reset: Immediately reset passwords for compromised accounts, especially service accounts known to have been targeted.
• Root Cause Analysis: Investigate how the attackers gained initial access and what vulnerabilities were exploited to perform the attack.
• Recovery and Monitoring: Restore affected systems from backups if necessary and enhance monitoring to detect signs of persistence or return.

How to Prevent Kerberoasting?

Preventing Kerberoasting involves strengthening the security of Kerberos authentication and using tools to identify and remediate vulnerabilities:

• Enforce Strong Authentication Policies: Implement strong password policies and consider using multi-factor authentication (MFA) for service accounts.
• Regularly Update and Patch Systems: Keep systems and software up-to-date to mitigate known vulnerabilities that could be exploited in the attack.
• Use Advanced Encryption: Configure service accounts to use AES encryption instead of older protocols like RC4 to enhance the security of Kerberos tickets.
• Security Tools and Audits: Utilize tools like BloodHound to analyze Active Directory permissions and identify potential attack paths. Regular audits can help ensure that no excessive permissions are granted to service accounts.
• Educational Training: Train IT staff and users on the risks of Kerberoasting and the importance of security best practices, including the need for strong, unique passwords for service accounts.

 

How to Perform Kerberoasting?

Follow these steps to replicate a Kerberoasting attack in your environment to test your defenses:

1. Access and Environment Setup: Gain access to an Active Directory environment as a standard user without administrative privileges.
2. Enumerating Service Accounts with SPNs: Utilize tools like AdFind to identify service accounts with Service Principal Names (SPNs), as these accounts are potential targets for Kerberoasting.
3. Extracting TGS Tickets: Employ Rubeus, a tool detailed on its GitHub page, to request Ticket Granting Service (TGS) tickets for the service accounts identified.
4. Cracking the Tickets: Crack the encrypted part of the TGS tickets using Hashcat, a password-cracking tool, to reveal weak passwords of service accounts potentially.
5. Analyzing and Mitigating Risks: Assess the strength of the cracked passwords and enhance password policies accordingly to bolster security.

References:

1. MITRE ATT&CK: Steal or Forge Kerberos Tickets: Kerberoasting
2. SpecterOps: When Kirbi walks the Bifrost
3. Hashcat: Hashcat GitHub Repository
4. BloodHound: BloodHound GitHub Repository
5. Joeware: AdFind Tool
6. Rubeus: Rubeus GitHub Repository