Kerberoasting’, is an attack technique used to acquire the password hash of an Active Directory account associated with a Service Principal Name (SPN). With most companies using Active Directory to manage their networks and resources today, Kerberoasting attacks pose a large and looming threat to businesses.
Kerberoasting attacks fall under the Credential Access tactic, specifically the Steal or Forge Kerberos Ticket method as documented in the MITRE ATT&CK table. MITRE, an international non-profit organization under the US government, established the ATT&CK framework to catalog adversarial Tactics, Techniques, and Common Knowledge.
Tactics refer to distinct stages within an attack, serving as indicators of malicious intent. Conversely, techniques outline the specific phases employed by attackers as documented in the attack table.
The prevalence of the Kerberoasting technique is evident among Penetration Testers, Red Teamers, and various active attack groups today.
Active Directory Environment
The Windows operating system, developed by Microsoft, provides a platform for the installation of the Active Directory environment. Active Directory serves as a comprehensive database capable of storing various types of information, represented as objects such as computers, users, rules, printers, and more.
When all computers within a company’s network are connected to the same Active Directory, users can access any computer within the network using their username and password (credentials).
One can draw a parallel with a physical house to facilitate an easier understanding of Active Directory. The internal network housing the Active Directory can be likened to the internal entry point of a house. On the other hand, external servers like SQL and Web Applications can be compared to external entry points of the house.
A prevailing issue in many companies today is their focus on securing the external entry points, such as doors and windows, while neglecting the internal security measures within the Active Directory environment. Even if strong measures are taken, such as installing a sturdy door or adding reinforced window locks, attackers can still find alternative ways to bypass these security mechanisms and gain unauthorized access, including digging underground to infiltrate the house.
Therefore, it is crucial to implement robust security mechanisms within the Active Directory environment, similar to having an alarm system, surveillance cameras, and other internal security measures in a house.
The Domain Controller serves as the central server responsible for configuring the Active Directory environment. It encompasses a multitude of features and functions crucial for the overall system.
One of its primary roles is hosting Active Directory Domain Services (AD-DS), acting as the repository for all information within the environment. Within AD-DS, one can find comprehensive details about users, computers, network printers, rules, and more.
Moreover, the Domain Controller facilitates authentication services through a protocol called Kerberos, which operates at the Domain Controller level. This ensures secure and reliable authentication processes for users accessing the network.
When updates are made to existing rules or new rules are added within the Domain Controller, the changes are propagated across all interconnected components within the network. This allows for seamless integration and synchronization of rules and configurations throughout the environment.
A domain represents a logical partition within a network where computers with similar attributes, such as security settings, user accounts, and general rules, are grouped together.
The purpose of establishing a domain is to empower network administrators with centralized control and management over all network resources within the organization. This approach enhances transparency for the network administrator, enabling them to efficiently configure and administer all computers throughout the organization. Additionally, it facilitates centralized software installation across all computers within the organization, streamlining the process and ensuring consistent software deployment.
Kerberos is an advanced authentication protocol designed to establish secure identity verification between client and server entities. This protocol enables the distribution of “entrance tickets,” known as Ticket Granting Tickets (TGTs), which grant clients access to internal servers within a network.
To provide a clearer understanding, let’s outline the steps involved in authenticating a user to a Domain Controller using Kerberos.
It is apparent that Kerberos operates in a way that any network user can request a TGS ticket for any service registered with an SPN across user accounts or computers in a domain environment. As a portion of the TGS is encrypted using an NTLM hash of the Service Account password, any user can request a TGS ticket and subsequently attempt offline cracking of the account password.
The Kerberoasting attack takes advantage of the Kerberos authentication mechanism used by Service accounts, specifically in relation to their Service Principal Name (SPN).
When establishing a connection as a domain user (which can be a regular user), it is possible to request Service tickets for Service-type accounts by specifying their corresponding SPN value.
In response, the Active Directory provides us with a Ticket encrypted using NTLM hashing, which utilizes the same Service account associated with the requested ticket.
By extracting this ticket from memory, saving it as a file, and employing methods such as Dictionary or Brute Force Attacks, we can attempt to crack the hashed password offline. Notably, these hacking attempts are conducted offline, minimizing the risk of detection by protective systems or triggering account locks.
If the cracking process proves successful, the password of the targeted service account will be revealed in plain text.
How Kerberoasting Attacks Are Performed
Once an attacker has booted up their preferred operating system, such as Kali Linux, in an internal Active Directory environment, they proceed to download Impacket from the following link: https://github.com/fortra/impacket.
Next, they navigate to the Impacket folder and locate the GetUserSPNs.py tool.
To utilize this tool, a valid username and password belonging to a user within the target domain is required. The command to execute the tool is as follows:
The following output is produced:
The TGS request, as shown in the accompanying screenshot, includes the hash we obtained for the user SQLService.
To proceed with the cracking process, attackers will save the received hash in a file and utilize a tool called hashcat for the cracking attempt.
After the hash is successfully cracked, the attacker can see the SQLService user’s password in plain text.
Having found the password of SQLService (the Domain Admin in the network), an attacker can move laterally in the network to reach the Domain Controller and take over the entire organization.
Mitigating Kerberoasting Attacks
As Kerberoasting attacks are targeted exploits that take advantage of a specific Windows feature, implementing robust security measures is crucial. One of the primary defenses is ensuring the usage of strong passwords for service users within the company.
To enhance password strength, it is recommended to employ passwords comprising at least 14 characters, with a combination of both recognized and unrecognized characters. The longer and more intricate the password, the greater the level of protection it provides against potential attacks.
Furthermore, minimizing the assignment of high privileges to both domain users and service users is imperative. Restricting the number of users with elevated privileges on the network to the bare minimum enhances overall security.
By adhering to these measures, organizations can significantly mitigate the risks associated with the Kerberoasting attack, bolstering their security posture and safeguarding critical assets.