Kerberos is a network authentication protocol that ensures secure authentication for users and services over a non-secure network using secret-key cryptography to verify identities and maintain secure communications.
Key Features of Kerberos:
What is a Kerberoasting attack?
Kerberoasting is a post-exploitation technique aiming to extract a password hash from an Active Directory Service Principal Name (SPN). In this attack, a domain user requests a Kerberos ticket for an SPN encrypted with the service account's password hash. The adversary then cracks the hash offline using brute force methods.
Once the service account's plaintext credentials are obtained, the attacker can impersonate the account owner and gain access to associated systems, assets, or networks.
Kerberoasting attacks evade detection because:
Traditional cybersecurity tools often do not monitor or analyze approved user behaviors effectively. These attacks lack malware, rendering antivirus solutions and other traditional defenses ineffective.
How does it work?
Kerberoasting exploits weaknesses in Active Directory's Kerberos authentication, enabling attackers to request and extract encrypted service tickets. These tickets contain password hashes of service accounts, which attackers then attempt to crack offline to obtain plaintext passwords, thereby gaining unauthorized access to systems and networks. Let's delve into each process.
Initial Access:
The attacker gains access to the network as an authenticated domain user. This can be done through methods like phishing, exploiting vulnerabilities, or using previously stolen credentials.
Enumerating SPNs:
The attacker identifies Service Principal Names (SPNs) in the Active Directory. SPNs link a service instance to a service logon account.
Requesting Kerberos Tickets:
The attacker requests Kerberos service tickets (TGS) for the identified SPNs. The Key Distribution Center (KDC) responds by issuing the requested service tickets.
Extracting Tickets:
The service tickets, encrypted with the service account's NTLM password hash, are extracted by the attacker from memory or network traffic.
Cracking Passwords Offline:
The attacker takes the extracted tickets offline and uses tools like Hashcat or John the Ripper to crack the password hash via brute force or dictionary attacks.
Compromising the Service Account:
Once the plaintext password is obtained, the attacker can impersonate the service account, gaining access to any systems, services, or data that the compromised account can access.
Conclusion:
Kerberoasting is a targeted attack where attackers extract password hashes from Kerberos service tickets to crack them offline, enabling unauthorized access to service accounts and lateral movement within the network. To combat this, organizations should enforce strong, complex passwords for service accounts, rotate passwords regularly, and monitor for unusual Kerberos ticket activity. By implementing these best practices, organizations can secure their Active Directory environments against Kerberoasting, protecting sensitive data and ensuring robust network security.
Happy Learning !!