Pentesting Red Team

Kerberoasting – What is it?

dave0

Estimated reading time: 2 minutes

Kerberoasting is a post-exploitation attack technique in which an attacker extracts service account credentials from the Kerberos authentication system in a Windows Active Directory (AD) environment. The attacker can then attempt to crack the extracted credentials offline to gain unauthorized access to privileged accounts.

Technical Breakdown of Kerberoasting:

1. Understanding Kerberos Authentication

Kerberos is a network authentication protocol that relies on ticket-based authentication. It consists of:

  • Key Distribution Center (KDC) – A service running on the Domain Controller (DC) that issues tickets.
  • Ticket Granting Ticket (TGT) – Issued to users after authentication, allowing them to request service tickets.
  • Service Principal Name (SPN) – A unique identifier for a service associated with an Active Directory account.

2. Attack Prerequisites

For a successful Kerberoasting attack, the attacker needs:

  • A valid domain user account (even a low-privileged one).
  • Access to request service tickets for services running under AD service accounts.

3. Attack Execution Steps

Step 1: Enumerate Service Accounts

The attacker first identifies service accounts associated with SPNs by using tools like:

  • setspn.exe -T domain -Q */*
  • PowerShell scripts (e.g., Get-SPN in PowerView)
  • Rubeus.exe
Step 2: Request a Service Ticket (TGS)

Using the kinit command (on Linux) or PowerShell, the attacker requests a Ticket Granting Service (TGS) ticket for a service account.

Example:

GetUserSPNs.py domain/user:password -request

The TGS is encrypted using the NTLM hash of the service account’s password.

Step 3: Extract the Ticket from Memory

Once the TGS is obtained, the attacker extracts the ticket from memory using:

  • Mimikatz: sekurlsa::tickets
  • Rubeus: Rubeus.exe dump /format:kirbi
  • PowerShell scripts to read klist output
Step 4: Offline Brute-Force Cracking

Since the TGS is encrypted with the NTLM hash of the service account, the attacker can perform an offline brute-force attack using tools like:

  • Hashcat: hashcat -m 13100 extracted_hash wordlist.txt
  • John the Ripper: john --format=krb5tgs --wordlist=wordlist.txt extracted_hash

If the password is weak, it can be cracked, granting the attacker access to the service account.

4. Impact of Kerberoasting

  • Privilege escalation if the cracked account has elevated permissions.
  • Lateral movement within the network.
  • Potential domain compromise if a highly privileged account is cracked.

5. Mitigation Strategies

  • Use strong passwords for service accounts (long and complex).
  • Rotate service account passwords regularly.
  • Enforce Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs).
  • Implement monitoring and alerting for anomalous Kerberos ticket requests.
  • Disable RC4 encryption in Kerberos to make brute-force cracking harder.

Leave a Reply

Your email address will not be published. Required fields are marked *