Kerberoasting

Kerberoasting is a sophisticated attack technique that exploits the Kerberos authentication protocol to crack service account passwords within Windows networks. By targeting service accounts with weak or easily guessable passwords, attackers can request Ticket Granting Service (TGS) tickets and subsequently crack them offline to reveal plaintext passwords.
  • In recent years, kerberoasting has been identified as a technique used in over 20% of network penetration tests, indicating its popularity among attackers. (Source: Sans Institute)
  • The average time to crack a kerberoasted password is significantly reduced with the use of powerful GPU arrays, highlighting the need for strong password policies. (Source: Hashcat)

How does Kerberos work?

The Kerberos authentication process involves a series of steps to verify the identity of users or services requesting access to a network. It includes ticket requests, validation, and the secure exchange of keys to ensure the integrity of the communication.

Kerberos distributes keys using a trusted third-party entity known as the Key Distribution Center (KDC). The KDC securely shares session keys between the client and the server, preventing unauthorized entities from gaining access.

Golden Ticket attacks

A Kerberos Golden Ticket is a powerful and potentially malicious artifact that can be generated by exploiting vulnerabilities in the Kerberos authentication system. In the context of cybersecurity, a Golden Ticket refers to a forged Ticket Granting Ticket (TGT) that grants an attacker long-term and unrestricted access to a network.

Using either a Forged Ticket Granting Ticket (TGT / Golden ticket) or a compromised account, the attacker can request access to a service (SPN) on the network. This service I associated with a high privilege service account, for example a SQL service account. The Key Distribution Centre (KDC) will issue a service ticket, which is encrypted with the public key of the Service Accounts password. The attacker can then convert this service ticket to a hash which can be exported to Hashcat or John The Ripper and then proceed to crack the password offline. This attack is reliant on poor password hygiene for service accounts, reuse of passwords across service accounts, non expiry of passwords for service accounts, and even non removal of old SPN entries in Active Directory.

Hunting for Kerberoasting

To hunt for potential evidence of Kerberoasting on your network, a good starting point is Vectra Recall’s Kerberoasting Dashboard. This dashboard monitors for tickets responses with weak ciphers (RC4) that can be potentially cracked offline. Typically, the usage of weak ciphers should be minimal within your enviornment, as with any example here it’s possible your environment might have a large number of Kerberos RC4 requests rendering this dashboard less effective.

When you look at this dashboard, you’ll see a top chart which shows all users of the weak RC4 cipher, this chart should hopefully be empty, as no one in your org is using this weak cipher, but it may also look like this. It’s safe to say that these Kerberos transactions are all from legitimate business cases, so you should look to hide these instances from the chart by clicking on the “–“ icon beside each IP in the legend.

Kerberoasting dashboard

After hiding the most commonly occurring servers, you should see a chart like the one below with a clear outlier that warrants investigation.

kerberoasting detection

Click on this server IP and click on the “+” icon to focus only on this, and at the bottom of this dashboard, you’ll be able to quickly see the clients making requests to this server, and if a single client has made a large number of requests against it, you should pivot into other metadata sources such as LDAP and RPC to determine if any other suspicious activity was occurring around the given timeframe.

More information on our detections related to Kerberoasting:

> Kerberos Account Scan

> Kerberos Brute-Sweep

Kerberoasting: SPN Sweep Dashboard on the Vectra AI platform
Kerberoasting: SPN Sweep Dashboard
Kerberoasting: Weak Cipher Request
Kerberoasting: Weak Cipher Request

Protecting your network against kerberoasting requires a combination of strong password policies, vigilant monitoring, and ongoing education. Vectra AI provides advanced security solutions that can help detect suspicious activities indicative of kerberoasting and other credential theft techniques. Contact us to strengthen your defenses and ensure the integrity of your authentication protocols and service accounts.

FAQs

What is the Kerberos authentication protocol?

The Kerberos authentication protocol is a network authentication system that uses secret-key cryptography to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It's widely used in Windows Active Directory environments.

How does a kerberoasting attack work?

A kerberoasting attack involves an attacker first gaining access to the network as a regular user. They then enumerate service accounts in the Active Directory that are registered with Service Principal Names (SPNs). The attacker requests TGS tickets for those accounts, which are encrypted using the account's password. These tickets can then be cracked offline to discover the account's plaintext password.

What are the implications of a successful kerberoasting attack?

A successful kerberoasting attack can lead to unauthorized access to sensitive areas of the network, data breaches, lateral movement within the network, and escalation of privileges, depending on the level of access the compromised service account possesses.

How can organizations detect kerberoasting activity?

Organizations can detect kerberoasting activity by monitoring for an unusual volume of TGS requests for service accounts, especially those made by non-administrative users, or by identifying abnormal patterns in network traffic that indicate mass ticket requests.

What strategies can help prevent kerberoasting attacks?

Preventive strategies include: Implementing strong, complex passwords for service accounts and changing them regularly. Limiting the number of service accounts that have Service Principal Names (SPNs) registered. Employing Account Lockout Policies to thwart brute-force attempts. Using Advanced Threat Analytics (ATA) or similar tools to monitor and alert on suspicious activities indicative of kerberoasting.

Can multi-factor authentication (MFA) mitigate the risk of kerberoasting?

While MFA is an effective measure for enhancing user account security, kerberoasting attacks specifically target service accounts that typically do not utilize MFA for authentication, making other protective measures more relevant for defending against these types of attacks.

How important is regular password auditing and complexity for service accounts?

Regular password auditing and enforcing password complexity for service accounts are critical defenses against kerberoasting. Strong, complex passwords are much harder to crack, even if the TGS ticket is obtained by an attacker.

How should organizations respond to a suspected or confirmed kerberoasting attack?

Organizations should immediately reset passwords for any compromised service accounts, conduct a thorough security audit to determine the extent of access gained by the attacker, and review and strengthen security policies and practices to prevent future incidents.

What role does security awareness training play in preventing kerberoasting?

Security awareness training plays a crucial role by informing administrators and IT staff about the nature of kerberoasting attacks, the importance of secure password practices for service accounts, and the need for vigilant monitoring of authentication and authorization processes.

What future developments might impact the prevalence or detection of kerberoasting attacks?

Future developments may include advancements in encryption and authentication mechanisms that make Kerberos tickets harder to exploit, as well as improvements in AI and machine learning technologies for detecting and responding to anomalous authentication requests more effectively.