Attack Technique 3: Kerberoasting

Kerberoasting: A Comprehensive Overview and Mitigation Strategies

Kerberoasting is a post-exploitation technique leveraged by attackers in Active Directory (AD) environments to extract and crack the password hashes of service accounts. These service accounts often have Service Principal Names (SPNs), which are identifiers for specific services within a network. Kerberoasting capitalizes on weaknesses in the Kerberos authentication protocol, enabling attackers to obtain valuable credentials without direct interaction with the target systems.

Understanding Kerberoasting

Kerberoasting involves the abuse of the Kerberos Ticket Granting Service (TGS). Here’s how it works:

  1. ServicePrincipalName (SPN): Service accounts in AD are often linked to SPNs, which map to specific services running on the network.

  2. Ticket Granting Service (TGS): When a client requests access to a service, the Domain Controller (DC) issues a service ticket encrypted with the service account’s password hash.

Attack Process

  1. Target Identification:

    • Attackers enumerate AD accounts linked to SPNs (typically service accounts) using tools like Impacket, Rubeus, or PowerShell.

  2. Service Ticket Request:

    • Attackers request TGS tickets for identified SPNs. The tickets are encrypted using the service account’s password hash.

  3. Extraction and Offline Cracking:

    • The encrypted TGS is captured, and the attacker extracts the password hash offline.

    • Using brute-force or dictionary attacks, tools such as John the Ripper or Hashcat are employed to crack the hash and recover the plaintext password.

  4. Privilege Abuse:

    • Once the service account password is obtained, attackers use the compromised credentials for privileged access, lateral movement, or further exploitation.

Comparison: Kerberoasting vs. Pass-the-Ticket (PtT)

Technique

Kerberoasting

Pass-the-Ticket (PtT)

Focus

Cracking service account password hashes offline

Reusing stolen Kerberos Ticket Granting Tickets (TGTs)

Goal

Obtain plaintext service account credentials

Impersonate users without knowing their passwords

Method

Request TGS tickets for SPNs, crack hashes offline

Reuse stolen TGTs for lateral movement and privilege escalation

Use Case

Offline attack to gain privileged access

Directly leverage Kerberos tickets for lateral movement

Tools and Techniques to Perform Kerberoasting

Tool 1: Impacket

Impacket provides Python-based tools for working with network protocols, including Kerberos. The GetUserSPNs.py script is widely used in Kerberoasting.

Step 1: Enumerating SPNs and Requesting TGS Tickets

Command Syntax:

GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip <KDC_IP> 'DOMAIN/USER:Password'

Flags:

  • -outputfile: Specifies the file to store the obtained password hashes.

  • -dc-ip: Specifies the IP of the domain controller.

Example:

GetUserSPNs.py -outputfile kerberoastables.txt -hashes 'LMhash:NThash' -dc-ip <KDC_IP> 'DOMAIN/USER'

Step 2: Offline Cracking

Once TGS tickets are obtained, tools like John the Ripper or Hashcat are used to crack the password hashes.

  • John the Ripper Command:

    john --format=krb5tgs --wordlist=<wordlist> kerberoastables.txt

  • Hashcat Command:

    hashcat -m 13100 -a 0 kerberoastables.txt <wordlist>

Tool 2: Rubeus

Rubeus is a C# tool for Kerberos-related attacks.

Step 1: Requesting TGS Tickets

Rubeus.exe kerberoast /simple /outfile:passwordhashes.txt

Step 2: Extracting Password Hashes

The extracted hashes are saved to a file for offline cracking using tools like Hashcat.

Step 3: Cracking the Password

hashcat -m 13100 -a 0 passwordhashes.txt <wordlist>

Detection Techniques

Kerberoasting can be detected by monitoring Windows Event Logs for abnormal patterns.

Key Event IDs:

  1. Event ID 4769:

    • Description: A Kerberos Service Ticket was requested.

    • Key Fields: Account Name, Service Name, Client Address.

  2. Event ID 4770:

    • Description: A Kerberos Service Ticket was renewed.

    • Key Fields: Account Name, User ID, Service Name, Service ID.

Monitoring Strategies:

  • Correlate multiple service ticket requests from the same user.

  • Investigate anomalous or high-volume requests for SPNs.

Mitigation Techniques

  1. Kerberos Flexible Authentication Secure Tunneling (FAST):

    • Also known as Kerberos Armoring, it provides a secure channel between the client and the DC, making it harder to intercept and abuse Kerberos tickets.

  2. Eliminate Insecure Protocols:

    • Disable RC4 and enforce the use of AES128 or AES256 encryption by configuring service accounts with:

      msDS-SupportedEncryptionTypes = 0x18 (decimal 24)

  3. Adopt Strong Password Practices:

    • Use long, randomly generated passwords (at least 30 characters) for service accounts.

    • Rotate service account passwords frequently.

  4. Monitor and Audit SPN Accounts:

    • Regularly review SPNs in AD and limit their use to minimize the attack surface.

  5. Enable Account Lockout Policies:

    • Set policies to lock accounts after several failed login attempts to disrupt brute-force attacks.

  6. Segment Privileged Accounts:

    • Restrict service accounts from interacting with sensitive systems or having excessive privileges.

Conclusion

Kerberoasting represents a significant threat to Active Directory environments, enabling attackers to exploit service accounts and gain elevated privileges. By leveraging tools such as Impacket and Rubeus, adversaries can extract and crack service account credentials offline.

To defend against this technique, organizations must implement robust detection and mitigation strategies, including Kerberos Armoring, strong password policies, and continuous monitoring of event logs. Through proactive measures, organizations can reduce the risk of Kerberoasting and safeguard their network infrastructure against credential-based attacks.

PreviousAttack Technique 2: Pass the Ticket: Use of Alternate Authentication Material (T1550)NextAttack Technique 4: Golden Ticket Attack

Last updated