Connect With us at Decian

ITInnovationStation

Understanding and Defending Against Kerberoasting Attacks in Active Directory

Published by

Rinzl3r

on

Understanding and Defending Against Kerberoasting Attacks in Active Directory

Introduction

Kerberoasting is a stealthy, post-exploitation technique frequently used by attackers to escalate privileges and move laterally within Windows Active Directory (AD) environments. By exploiting how the Kerberos authentication protocol handles service account credentials, attackers can retrieve encrypted service tickets for offline cracking, enabling access to privileged accounts. Kerberoasting is particularly dangerous because it requires only a low-privileged account to initiate and the cracking of passwords happens offline, making it hard to detect.

In this post, we’ll dive into the details of how Kerberoasting works, examine why it’s effective, and discuss various defense strategies to secure AD environments from such attacks.

How Kerberos Authentication Works

To understand Kerberoasting, it’s essential to know the basics of the Kerberos authentication protocol, which Active Directory relies on for secure authentication across networks. The Kerberos protocol includes three main components:

  1. Key Distribution Center (KDC): The KDC is the trusted authority in Kerberos authentication and typically resides on the domain controller. It issues two types of tickets:
    • Ticket Granting Ticket (TGT): This is issued upon initial authentication and acts as a “master ticket” that allows users to request access to additional services.
    • Ticket Granting Service (TGS) ticket: This ticket grants access to specific services, like SQL databases or file shares.
  2. Service Principal Name (SPN): Each service in AD is registered with an SPN, which is essentially a unique identifier for that service. When a user requests access to a service, they reference its SPN, and the KDC generates a TGS ticket for that service.
  3. TGS Encryption: The KDC encrypts each TGS ticket using the NTLM hash of the service account associated with the SPN. By design, any domain user can request a TGS ticket for any SPN.

These mechanics provide a pathway for Kerberoasting attacks, as attackers can abuse the access to TGS tickets and extract them for offline password cracking.

Kerberoasting Attack Workflow

Kerberoasting focuses on extracting and cracking TGS tickets, leveraging the following process:

  1. SPN Enumeration and TGS Request: The attacker uses a valid domain account (often obtained through phishing or other low-level attacks) to enumerate SPNs associated with service accounts in AD. These SPNs may belong to services with privileged accounts, such as SQL servers or custom applications.
  2. Extracting TGS Tickets: The attacker requests TGS tickets for SPNs of interest. The KDC encrypts each TGS ticket using the NTLM hash of the service account’s password and sends it to the requester. The attacker can easily intercept and extract these tickets using tools such as Mimikatz or Rubeus.
  3. Offline Password Cracking: Once extracted, TGS tickets can be transferred to an attacker’s offline machine for cracking. Since the tickets are encrypted with the NTLM hash of the service account’s password, the attacker uses password-cracking tools like Hashcat or John the Ripper to recover the plaintext password. This process can take anywhere from minutes to days, depending on the strength of the password and the computing power available to the attacker.
  4. Privilege Escalation and Lateral Movement: If the attacker successfully cracks the password, they gain access to the service account. If the service account has privileged access, such as membership in the Domain Admins group, the attacker can leverage this access for further lateral movement, privilege escalation, or even full domain compromise.

Why Kerberoasting is Effective

Kerberoasting is effective for several reasons:

  • No High Privileges Required: It requires only a regular domain user account to initiate. This makes it accessible for attackers who gain low-privileged credentials early in an attack chain.
  • Offline Cracking: Since the TGS ticket is encrypted with the NTLM hash of the service account, cracking can be done offline, where it is undetectable to the network.
  • Weak Service Account Passwords: Many organizations set weak or unrotated passwords for service accounts, making them easy targets for offline cracking.

These factors make Kerberoasting an attractive option for attackers and a significant risk for organizations with improperly secured AD environments.

Common Tools Used in Kerberoasting

Several tools have been developed to facilitate Kerberoasting attacks:

  1. Mimikatz: Known widely for credential extraction, Mimikatz can also extract Kerberos tickets, including TGS tickets.
  2. Rubeus: A C# tool that provides various Kerberos attack functionalities, including Kerberoasting. Rubeus can enumerate SPNs and request TGS tickets.
  3. Impacket’s GetUserSPNs.py: This Python script can query AD for SPNs and extract TGS tickets associated with them, simplifying Kerberoasting for attackers.
  4. Hashcat and John the Ripper: Once extracted, TGS tickets are cracked using these powerful password-cracking tools, which support offline cracking with dictionaries, rainbow tables, or brute-force methods.

Detecting Kerberoasting Attacks

Detecting Kerberoasting attacks can be challenging due to their offline nature, but certain indicators can point to an attempted attack:

  1. Monitoring Event ID 4769: In Windows Security Event Logs, Event ID 4769 records TGS requests. An unusual increase in TGS requests, particularly for specific service accounts or SPNs, could indicate a Kerberoasting attempt.
  2. Unusual SPN Requests: Typically, regular users don’t need access to sensitive SPNs. Monitoring SPN requests from low-privilege accounts, especially those without legitimate access, can help detect Kerberoasting behavior.
  3. Abnormal TGS Request Patterns: A single account requesting multiple TGS tickets over a short period may be engaging in Kerberoasting. SIEM tools can help detect and alert on these patterns.
  4. Advanced Security Tools: Solutions like Microsoft Advanced Threat Analytics (ATA) or Microsoft Defender for Identity can detect suspicious behavior, such as unusual account activity or unexpected TGS requests.

Defense Strategies Against Kerberoasting

Protecting against Kerberoasting requires a combination of strong password policies, monitoring, and access control. Here are several effective defense techniques:

  1. Enforce Strong Password Policies: Service accounts should use complex, lengthy passwords (ideally 25+ characters). Passwords should also be rotated regularly to minimize exposure if they are cracked.
  2. Use Managed Service Accounts (MSAs): MSAs automatically handle complex password generation and regular rotation, reducing the risk of static, easily cracked passwords.
  3. Restrict Service Account Privileges: Service accounts should adhere to the principle of least privilege. Avoid assigning unnecessary or elevated privileges and avoid adding service accounts to privileged groups like Domain Admins.
  4. Limit SPN Exposure: Regularly review and remove unused or unnecessary SPNs. Limiting SPNs reduces the potential attack surface and decreases the number of available TGS tickets for Kerberoasting.
  5. Enforce AES Encryption for Kerberos Tickets: By default, Kerberos may use RC4 for ticket encryption. Enforcing AES encryption strengthens the encryption used for TGS tickets, increasing cracking difficulty.
  6. Privileged Access Management (PAM): PAM solutions help secure privileged accounts by enforcing just-in-time access and regularly rotating passwords for sensitive accounts, further reducing the impact of a compromised account.

Advanced Mitigations

For organizations requiring enhanced security, advanced mitigations can add further protection:

  1. Disable RC4 Where Possible: Windows may fall back to RC4 for compatibility, but RC4-encrypted tickets are more vulnerable to cracking. Disabling RC4 (after thorough testing) improves security for Kerberos tickets.
  2. Credential Guard: Windows Credential Guard provides isolation for credentials, protecting secrets from extraction tools like Mimikatz.
  3. Implementing Constrained Delegation: Kerberos constrained delegation allows you to limit the services that can request TGS tickets on behalf of other accounts. Properly configured constrained delegation reduces the risk of Kerberoasting by restricting the delegation to specific trusted accounts.
  4. SIEM and Network Monitoring Tools: Use Security Information and Event Management (SIEM) tools to detect abnormal TGS request patterns, investigate suspicious SPN requests, and correlate events that may indicate Kerberoasting.

Summary

Kerberoasting is a potent attack technique in AD environments due to its stealth, accessibility, and offline nature. By exploiting TGS ticket encryption, attackers can retrieve service account credentials and use them for lateral movement and privilege escalation. Given the simplicity with which low-privileged users can initiate Kerberoasting, organizations must take proactive measures to secure service accounts and monitor for suspicious behavior.

To protect against Kerberoasting, organizations should focus on enforcing strong password policies, restricting service account privileges, limiting SPN exposure, and monitoring Event ID 4769 for unusual TGS request patterns. Implementing advanced protections like Managed Service Accounts, Privileged Access Management, AES encryption, and Credential Guard can further strengthen defenses against Kerberoasting.

By understanding the mechanisms of Kerberoasting and deploying a combination of basic and advanced security practices, organizations can effectively mitigate this threat and secure their AD environments from credential-based attacks.

Leave a comment

Hello,

I’m Rinzl3r

Hello! I’m Matthew, an experienced engineer at Decian, a leading Managed Service Provider (MSP) dedicated to revolutionizing IT solutions for businesses. With a passion for technology and a wealth of experience in the MSP industry, I’ve embarked on a journey to demystify the world of managed services through this blog.

My career at Decian has been a journey of constant learning and growth. Over the years, I’ve honed my skills in various aspects of IT management, from network security and cloud services to data analytics and cybersecurity. Working in an environment that fosters innovation and customer-focused solutions, I’ve had the privilege of contributing to numerous projects that have helped businesses optimize their IT strategies and enhance operational efficiency.

The inspiration to start this blog came from my interactions with business owners and clients who often expressed a need for clearer understanding and guidance in working with MSPs. Whether it’s navigating the complexities of digital transformation, ensuring cybersecurity, or leveraging technology for business growth, I realized that there’s a wealth of knowledge to be shared.

Through this blog, I aim to bridge the gap between MSPs and their clients. My goal is to provide insights, tips, and practical advice that can help business owners make informed decisions about their IT needs and how best to collaborate with an MSP like Decian. From explaining basic concepts to exploring advanced IT solutions, I strive to make this space a valuable resource for both seasoned professionals and those new to the world of managed services.

Join me on this informative journey, as we explore the dynamic and ever-evolving world of MSPs. Whether you’re an MSP client, a business owner, or just curious about the role of technology in business today, I hope to make this blog your go-to source for all things MSP.

Welcome to the blog, and let’s unravel the complexities of managed IT services together!

Let’s connect

Join the fun!

Stay updated with our latest tutorials and ideas by joining our newsletter.

Recent posts