Understanding and Mitigating the Dangers of Kerberoasting Attacks

Listen to the article
Voiced by Amazon Polly

Introduction

In this article, we will learn about the popular and dangerous Kerberoasting attack method used by hackers and how to protect your organization’s service accounts and data from compromise. We will explore the complexity of prevention and detection, and discuss the best mitigation options, including strong passwords and group Managed Service Accounts (gMSA).

Why is the kerberoasting attack so popular among hackers?

  1. Exploitation of weakness without high privileges
  2. Preventing the attack is very complex
  3. detecting the attack is very problematic

What is a Kerberoasting Attack?

Let’s start from the beginning and understand how authentication works for Active Directory users. When a user logs in to their computer in an Active Directory environment, they first receive a ticket called the Ticket Granting Ticket (TGT) from the domain controller. This ticket contains user information, such as security group membership and their level of permissions on the network. After the user receives a trusted TGT ticket, they can continue on to various services on the local network and receive a new ticket type called the Ticket Granting Service (TGS) ticket. This ticket grants the user kerberoast delegation on behalf of the server.

TGS Ticket request

Cracking the ticket that belongs to the service user by receiving a TGS ticket is known as a Kerberoasting attack.

The Invoke-Kerberoast.ps1 script is a common tool for scanning for SPN users and requesting TGS tickets from domain controllers.

Request TGS ticket and crack it using hashcat tool
TGT Ticket request

Cracking TGS ticket with Hashcat

To crack TGS tickets with Hashcat, you will need to obtain the hash of the ticket and use Hashcat to perform a dictionary, brute-force, or mask attack on the hash.

The specific steps to perform the attack will depend on the information you have about the target TGS ticket for examples the length of the password, and any known characters or patterns in the password.

hashcat.exe -a  0 spn_hash.txt -m 13100 rockyou.txt

Cyber attack stages

Why is the kerberoasting attack so dangerous?

Kerberoasting is a dangerous attack because it allows an attacker to extract the encrypted service account credentials from a target system, which can then be used to gain elevated access to other resources within the network.

The encrypted credentials can be decrypted offline using brute-force methods, making the attack difficult to detect and mitigate.

Once the attacker has access to the encrypted credentials, they can use them to impersonate a trusted service account and move laterally within the network, potentially gaining access to sensitive information or systems.

Kerberoasting is especially dangerous in environments where service accounts have excessive privileges, as these privileges can be abused to cause significant harm.

In the diagram below, we can see how hackers can use a service user that has been cracked to access the SQL server.

If the service user has higher privileges than a normal user, the hacker can use this service account to access more domain resources

kerberoasting attack technic and lateral movement and compromise domain
Lateral movement using a service User

Kerberoasting mitigation options

  1. if user run on server as service user, you can protect him by using complex password with at least 25 characters
    1. can only be applied to windows service account
  2. if user run as appool account or using for task scheduler, can be set up as gMSA accounts
    1. Setting up this type of user will prevent the attack because
      1. The user has a 124-character password by default
      2. The password will change automatically every 30 days
      3. no clear text password used by appool users

Summary

In this article, we delve into the specifics of the Kerberoasting attack method, a popular and dangerous way for hackers to exploit vulnerabilities in Active Directory environments without high privileges. We discuss the challenges of preventing and detecting this type of attack, and offer recommendations for mitigating the risk, including using strong passwords for service accounts and implementing gMSA accounts. Stay informed and stay safe from Kerberoasting threats.

References

group managed service accounts overview

Like this article?

You may also enjoy these articles

SearchSploit: Guide to Exploit Database Search

Searchsploit is a command-line tool that allows users to search the Exploit Database, which is a repository of publicly disclosed vulnerabilities and exploitation techniques. It

fuzzing with ffuf tool

Guide to FFUF tool – Web Application Fuzzing

FFUF is a powerful and flexible open-source tool for performing web application fuzzing. Whether you’re a security professional looking to identify vulnerabilities or a developer

Guide to sqlmap tool – sql injection

SQLmap is an powerful open source tool used by hackers to detect and exploit SQL
injection flaws. SQLmap automates the process of detecting and

Hydra

Hydra tool make password cracking to easy task, hydra can brute Force multiple protocols and services like ftp irc ldap2[s] ldap3 mongodb mssql mysql

Scroll to Top