Kerberoasting

Kerberoasting is a sophisticated attack technique that exploits the Kerberos authentication protocol to crack service account passwords within Windows networks. By targeting service accounts with weak or easily guessable passwords, attackers can request Ticket Granting Service (TGS) tickets and subsequently crack them offline to reveal plaintext passwords.
  • In recent years, kerberoasting has been identified as a technique used in over 20% of network penetration tests, indicating its popularity among attackers. (Source: Sans Institute)
  • The average time to crack a kerberoasted password is significantly reduced with the use of powerful GPU arrays, highlighting the need for strong password policies. (Source: Hashcat)

How does Kerberos work?

The Kerberos authentication process involves a series of steps to verify the identity of users or services requesting access to a network. It includes ticket requests, validation, and the secure exchange of keys to ensure the integrity of the communication.

Kerberos distributes keys using a trusted third-party entity known as the Key Distribution Center (KDC). The KDC securely shares session keys between the client and the server, preventing unauthorized entities from gaining access.

Golden Ticket attacks

A Kerberos Golden Ticket is a powerful and potentially malicious artifact that can be generated by exploiting vulnerabilities in the Kerberos authentication system. In the context of cybersecurity, a Golden Ticket refers to a forged Ticket Granting Ticket (TGT) that grants an attacker long-term and unrestricted access to a network.

Using either a Forged Ticket Granting Ticket (TGT / Golden ticket) or a compromised account, the attacker can request access to a service (SPN) on the network. This service I associated with a high privilege service account, for example a SQL service account. The Key Distribution Centre (KDC) will issue a service ticket, which is encrypted with the public key of the Service Accounts password. The attacker can then convert this service ticket to a hash which can be exported to Hashcat or John The Ripper and then proceed to crack the password offline. This attack is reliant on poor password hygiene for service accounts, reuse of passwords across service accounts, non expiry of passwords for service accounts, and even non removal of old SPN entries in Active Directory.

Hunting for Kerberoasting

To hunt for potential evidence of Kerberoasting on your network, a good starting point is Vectra Recall’s Kerberoasting Dashboard. This dashboard monitors for tickets responses with weak ciphers (RC4) that can be potentially cracked offline. Typically, the usage of weak ciphers should be minimal within your enviornment, as with any example here it’s possible your environment might have a large number of Kerberos RC4 requests rendering this dashboard less effective.

When you look at this dashboard, you’ll see a top chart which shows all users of the weak RC4 cipher, this chart should hopefully be empty, as no one in your org is using this weak cipher, but it may also look like this. It’s safe to say that these Kerberos transactions are all from legitimate business cases, so you should look to hide these instances from the chart by clicking on the “–“ icon beside each IP in the legend.

Kerberoasting dashboard

After hiding the most commonly occurring servers, you should see a chart like the one below with a clear outlier that warrants investigation.

kerberoasting detection

Click on this server IP and click on the “+” icon to focus only on this, and at the bottom of this dashboard, you’ll be able to quickly see the clients making requests to this server, and if a single client has made a large number of requests against it, you should pivot into other metadata sources such as LDAP and RPC to determine if any other suspicious activity was occurring around the given timeframe.

More information on our detections related to Kerberoasting:

> Kerberos Account Scan

> Kerberos Brute-Sweep

Kerberoasting: SPN Sweep Dashboard on the Vectra AI platform
Kerberoasting: SPN Sweep Dashboard
Kerberoasting: Weak Cipher Request
Kerberoasting: Weak Cipher Request

Protecting your network against kerberoasting requires a combination of strong password policies, vigilant monitoring, and ongoing education. Vectra AI provides advanced security solutions that can help detect suspicious activities indicative of kerberoasting and other credential theft techniques. Contact us to strengthen your defenses and ensure the integrity of your authentication protocols and service accounts.

FAQs

What is the Kerberos authentication protocol?

What are the implications of a successful kerberoasting attack?

What strategies can help prevent kerberoasting attacks?

How important is regular password auditing and complexity for service accounts?

What role does security awareness training play in preventing kerberoasting?

How does a kerberoasting attack work?

How can organizations detect kerberoasting activity?

Can multi-factor authentication (MFA) mitigate the risk of kerberoasting?

How should organizations respond to a suspected or confirmed kerberoasting attack?

What future developments might impact the prevalence or detection of kerberoasting attacks?