|
Listen to the article
 |
Introduction
In this article, we will learn about the popular and dangerous Kerberoasting attack method used by hackers and how to protect your organization’s service accounts and data from compromise. We will explore the complexity of prevention and detection, and discuss the best mitigation options, including strong passwords and group Managed Service Accounts (gMSA).
Why is the kerberoasting attack so popular among hackers?
- Exploitation of weakness without high privileges
- Preventing the attack is very complex
- detecting the attack is very problematic
What is a Kerberoasting Attack?
Let’s start from the beginning and understand how authentication works for Active Directory users. When a user logs in to their computer in an Active Directory environment, they first receive a ticket called the Ticket Granting Ticket (TGT) from the domain controller. This ticket contains user information, such as security group membership and their level of permissions on the network. After the user receives a trusted TGT ticket, they can continue on to various services on the local network and receive a new ticket type called the Ticket Granting Service (TGS) ticket. This ticket grants the user kerberoast delegation on behalf of the server.
TGS Ticket request
Cracking the ticket that belongs to the service user by receiving a TGS ticket is known as a Kerberoasting attack.
The Invoke-Kerberoast.ps1 script is a common tool for scanning for SPN users and requesting TGS tickets from domain controllers.
Cracking TGS ticket with Hashcat
To crack TGS tickets with Hashcat, you will need to obtain the hash of the ticket and use Hashcat to perform a dictionary, brute-force, or mask attack on the hash.
The specific steps to perform the attack will depend on the information you have about the target TGS ticket for examples the length of the password, and any known characters or patterns in the password.
hashcat.exe -a 0 spn_hash.txt -m 13100 rockyou.txtCyber attack stages
Why is the kerberoasting attack so dangerous?
Kerberoasting is a dangerous attack because it allows an attacker to extract the encrypted service account credentials from a target system, which can then be used to gain elevated access to other resources within the network.
The encrypted credentials can be decrypted offline using brute-force methods, making the attack difficult to detect and mitigate.
Once the attacker has access to the encrypted credentials, they can use them to impersonate a trusted service account and move laterally within the network, potentially gaining access to sensitive information or systems.
Kerberoasting is especially dangerous in environments where service accounts have excessive privileges, as these privileges can be abused to cause significant harm.
In the diagram below, we can see how hackers can use a service user that has been cracked to access the SQL server.
If the service user has higher privileges than a normal user, the hacker can use this service account to access more domain resources
Kerberoasting mitigation options
- if user run on server as service user, you can protect him by using complex password with at least 25 characters
- can only be applied to windows service account
- if user run as appool account or using for task scheduler, can be set up as gMSA accounts
- Setting up this type of user will prevent the attack because
- The user has a 124-character password by default
- The password will change automatically every 30 days
- no clear text password used by appool users
- Setting up this type of user will prevent the attack because
Summary
In this article, we delve into the specifics of the Kerberoasting attack method, a popular and dangerous way for hackers to exploit vulnerabilities in Active Directory environments without high privileges. We discuss the challenges of preventing and detecting this type of attack, and offer recommendations for mitigating the risk, including using strong passwords for service accounts and implementing gMSA accounts. Stay informed and stay safe from Kerberoasting threats.
