Kerberoasting attacks remain an enduring headache for IT professionals, allowing hackers to escalate privileges and reach the highest levels of your Active Directory (AD) environment. But by enforcing robust passwords, encryption, and cybersecurity policies, you can disrupt the criminals before they even begin.
The term Kerberoasting refers to ‘Kerberos’, the authentication protocol that Microsoft’s AD uses to verify the identity of computers or users requesting access to specific resources.
The attack’s power lies in its escalatory nature. A cybercriminal can begin by exploiting any standard Windows user account in AD, accessed through the usual roster of criminal techniques: malware, phishing, etc.
However, the attacker’s real goal is to target ‘service accounts’, identifiable by their Service Principal Name (SPN). These are the types of accounts that run Windows services and aren’t typically used by regular users.
Service accounts are attractive for hackers because they often contain high-level permissions across services, and in some cases, even domain administrator access.
How Kerberoasting works in Active Directory
So how does an attacker jump from a normal user account to a service account? The danger lies in the system’s ticket-granting mechanism within Kerberos.
The Kerberos protocol conveys user authentication state in a message called a ‘service ticket’. Any user with an AD account can request tickets to any service account in AD from the ticket-granting service (TGS). This means that, using the normal user account under their control, an attacker can request a service ticket tied to an SPN.
Hackers can identify such accounts quite easily by using free, open-source tools like SecureAuth Corporation’s GetUserSPNs.py or Ghost Pack’s Rubeus. These tools can also automatically request a valid ticket associated with these service accounts.
Each ticket is encrypted with the hash of the target account’s password: the password tied to the SPN. The attacker takes the ticket offline and uses brute force techniques to crack the password hash at their leisure, enabling them to take over the service account and all its associated access, with the ability to scale from there.
... continue reading