Kerberoasting is a common attack targeting Microsoft Active Directory, enabling attackers to compromise service accounts with low risk of detection. Because it manipulates legitimate accounts, it can be highly effective. However, robust password security can keep the criminals at bay.
First, what is Kerberoasting? The name comes from ‘Kerberos’, the authentication protocol used in Active Directory, which verifies a user’s identity or that of a computer requesting access to resources.
Kerberoasting is a privilege escalation attack where a perpetrator in control of a standard Windows user account attempts to crack the password for an account with a Service Principle Name (SPN); if successful, they can then escalate their attacks to threaten any part of the architecture connected to the targeted account.
Multi-pronged attack
How does an attack work in practice? It’s slightly complex, but there are five key stages:
The attacker begins by exploiting an existing Windows user account in Active Directory. They may have gained access to this account using any of the traditional, nefarious methods, such as stealing credentials via phishing or malware.
They then identify an account on the active directory with an SPN attached, using tools such as GhostPack’s Rubeus. These service accounts are dangerous because they often have high-level permissions or domain administrator access.
Using the account they control, the attacker requests a service ticket from the ticket granting service (TGS) in Active Directory. This ticket contains the SPN in focus and is encrypted with the hash of the target account’s password.
The attacker takes the ticket offline, concealing their activities: there is no longer any unusual network traffic that might give them away.
Finally, the perpetrator uses brute force techniques to attempt to crack the SPN password hash, enabling them to recover plaintext service-account passwords. They can then access anything that account can access.
... continue reading