Kerberoasting

Kerberoasting is a sophisticated post-exploitation attack that targets Active Directory (AD) environments by exploiting the Kerberos authentication protocol. Attackers use this technique to extract encrypted service account credentials, which they then crack offline to gain privileged access. This method is particularly dangerous because it leverages legitimate Kerberos functionality, making detection challenging.

Key Points

Targets service accounts in Active Directory, which often have elevated privileges.
Exploits the Kerberos Ticket Granting Service (TGS) to obtain encrypted credentials.
Uses offline brute-force attacks to crack passwords, avoiding detection during the process.
Requires minimal privileges to execute, making it accessible to attackers with basic access.

How Kerberoasting Works

Attack Flow

Kerberoasting follows a systematic process to compromise service accounts:

Enumeration: The attacker identifies service accounts in the AD environment.
TGS Request: The attacker requests a Ticket Granting Service (TGS) ticket for a targeted service account.
Encryption: The TGS ticket is encrypted using the service account’s password hash.
Extraction: The attacker extracts the encrypted ticket from memory or network traffic.
Offline Cracking: The encrypted ticket is cracked using tools like Hashcat to reveal the plaintext password.

Technical Details

Component	Description	Tools Used
TGS Ticket	Encrypted with the service account’s password hash (RC4-HMAC by default).	`Rubeus`, `Impacket`
Cracking	Offline brute-force or dictionary attacks to decrypt the ticket.	`Hashcat`, `John the Ripper`
Privilege Escalation	Compromised service accounts often have high privileges (e.g., Domain Admin).	N/A

Note: Kerberoasting is effective because many organizations use weak or default passwords for service accounts, and RC4-HMAC encryption (common in older AD setups) is vulnerable to brute-force attacks.

Why Kerberoasting is Dangerous

Common Attack Scenarios

Lateral Movement: Attackers use cracked credentials to move across the network.
Persistence: Compromised service accounts provide long-term access to critical systems.
Privilege Escalation: Service accounts often have administrative rights, enabling full domain control.

Real-World Impact

Data Breaches: Attackers exfiltrate sensitive data using compromised accounts.
Ransomware Deployment: Elevated access facilitates the spread of ransomware.
Insider Threats: Malicious insiders can escalate privileges undetected.

Detection and Mitigation

Detection Methods

Method	Description
Unusual TGS Requests	Monitor for excessive TGS ticket requests from a single user.
Log Analysis	Review Kerberos event logs (Event ID 4769) for suspicious activity.
Honeypot Accounts	Deploy decoy service accounts with weak passwords to detect attacks.

Mitigation Strategies

Password Policies
- Enforce long, complex passwords (25+ characters) for service accounts.
- Disable RC4-HMAC encryption in favor of AES-256 for Kerberos tickets.
Account Hardening
- Limit service account privileges to only what is necessary.
- Use Managed Service Accounts (gMSAs) with automatically rotated passwords.
Monitoring and Auditing
- Enable Kerberos logging and set up alerts for unusual TGS requests.
- Conduct regular audits of service account permissions and password strength.
Tool-Specific Defenses
- Restrict access to tools like Rubeus and Impacket using application whitelisting.
- Deploy Endpoint Detection and Response (EDR) solutions to detect brute-force attempts.

Step-by-Step Defense Implementation

1. Identify Vulnerable Service Accounts

# PowerShell command to list service accounts with SPNs
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

2. Enforce Strong Passwords

# Set a 25-character random password for a service account
$password = ConvertTo-SecureString -String (New-Guid).ToString() -AsPlainText -Force
Set-ADAccountPassword -Identity "ServiceAccount" -NewPassword $password

3. Disable RC4-HMAC Encryption

# Disable RC4-HMAC for a specific account
Set-ADUser -Identity "ServiceAccount" -KerberosEncryptionType AES256

4. Enable Kerberos Logging

<!-- Add to Group Policy (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy) -->
<AuditPolicy>
  <SubcategoryGuid>{0CCE9242-69AE-11D9-BED3-505054503030}</SubcategoryGuid> <!-- Audit Kerberos Service Ticket Operations -->
  <SettingValue>3</SettingValue> <!-- Success and Failure -->
</AuditPolicy>

Learn More

Official Resources

Tools and Frameworks

Tool	Purpose	Link
Rubeus	Kerberoasting and Kerberos exploitation toolkit.	GitHub
Impacket	Python-based toolkit for Kerberos attacks.	GitHub
Hashcat	Advanced password cracking tool.	Website
BloodHound	AD attack path mapping and analysis.	GitHub

Key Points

Targets service accounts in Active Directory, which often have elevated privileges.
Exploits the Kerberos Ticket Granting Service (TGS) to obtain encrypted credentials.
Uses offline brute-force attacks to crack passwords, avoiding detection during the process.
Requires minimal privileges to execute, making it accessible to attackers with basic access.

How Kerberoasting Works

Attack Flow

Kerberoasting follows a systematic process to compromise service accounts:

Enumeration: The attacker identifies service accounts in the AD environment.
TGS Request: The attacker requests a Ticket Granting Service (TGS) ticket for a targeted service account.
Encryption: The TGS ticket is encrypted using the service account’s password hash.
Extraction: The attacker extracts the encrypted ticket from memory or network traffic.
Offline Cracking: The encrypted ticket is cracked using tools like Hashcat to reveal the plaintext password.

Technical Details

Component	Description	Tools Used
TGS Ticket	Encrypted with the service account’s password hash (RC4-HMAC by default).	`Rubeus`, `Impacket`
Cracking	Offline brute-force or dictionary attacks to decrypt the ticket.	`Hashcat`, `John the Ripper`
Privilege Escalation	Compromised service accounts often have high privileges (e.g., Domain Admin).	N/A

Note: Kerberoasting is effective because many organizations use weak or default passwords for service accounts, and RC4-HMAC encryption (common in older AD setups) is vulnerable to brute-force attacks.

Why Kerberoasting is Dangerous

Common Attack Scenarios

Lateral Movement: Attackers use cracked credentials to move across the network.
Persistence: Compromised service accounts provide long-term access to critical systems.
Privilege Escalation: Service accounts often have administrative rights, enabling full domain control.

Real-World Impact

Data Breaches: Attackers exfiltrate sensitive data using compromised accounts.
Ransomware Deployment: Elevated access facilitates the spread of ransomware.
Insider Threats: Malicious insiders can escalate privileges undetected.

Detection and Mitigation

Detection Methods

Method	Description
Unusual TGS Requests	Monitor for excessive TGS ticket requests from a single user.
Log Analysis	Review Kerberos event logs (Event ID 4769) for suspicious activity.
Honeypot Accounts	Deploy decoy service accounts with weak passwords to detect attacks.

Mitigation Strategies

Password Policies
- Enforce long, complex passwords (25+ characters) for service accounts.
- Disable RC4-HMAC encryption in favor of AES-256 for Kerberos tickets.
Account Hardening
- Limit service account privileges to only what is necessary.
- Use Managed Service Accounts (gMSAs) with automatically rotated passwords.
Monitoring and Auditing
- Enable Kerberos logging and set up alerts for unusual TGS requests.
- Conduct regular audits of service account permissions and password strength.
Tool-Specific Defenses
- Restrict access to tools like Rubeus and Impacket using application whitelisting.
- Deploy Endpoint Detection and Response (EDR) solutions to detect brute-force attempts.

Step-by-Step Defense Implementation

1. Identify Vulnerable Service Accounts

# PowerShell command to list service accounts with SPNs
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

2. Enforce Strong Passwords

# Set a 25-character random password for a service account
$password = ConvertTo-SecureString -String (New-Guid).ToString() -AsPlainText -Force
Set-ADAccountPassword -Identity "ServiceAccount" -NewPassword $password

3. Disable RC4-HMAC Encryption

# Disable RC4-HMAC for a specific account
Set-ADUser -Identity "ServiceAccount" -KerberosEncryptionType AES256

4. Enable Kerberos Logging

<!-- Add to Group Policy (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy) -->
<AuditPolicy>
  <SubcategoryGuid>{0CCE9242-69AE-11D9-BED3-505054503030}</SubcategoryGuid> <!-- Audit Kerberos Service Ticket Operations -->
  <SettingValue>3</SettingValue> <!-- Success and Failure -->
</AuditPolicy>

Learn More

Official Resources

Tools and Frameworks

Tool	Purpose	Link
Rubeus	Kerberoasting and Kerberos exploitation toolkit.	GitHub
Impacket	Python-based toolkit for Kerberos attacks.	GitHub
Hashcat	Advanced password cracking tool.	Website
BloodHound	AD attack path mapping and analysis.	GitHub

Kerberoasting

Key Points

How Kerberoasting Works

Attack Flow

Technical Details

Why Kerberoasting is Dangerous

Common Attack Scenarios

Real-World Impact

Detection and Mitigation

Detection Methods

Mitigation Strategies

Step-by-Step Defense Implementation

1. Identify Vulnerable Service Accounts

2. Enforce Strong Passwords

3. Disable RC4-HMAC Encryption

4. Enable Kerberos Logging

Learn More

Official Resources

Tools and Frameworks

Further Reading

Kerberoasting

Key Points

How Kerberoasting Works

Attack Flow

Technical Details

Why Kerberoasting is Dangerous

Common Attack Scenarios

Real-World Impact

Detection and Mitigation

Detection Methods

Mitigation Strategies

Step-by-Step Defense Implementation

1. Identify Vulnerable Service Accounts

2. Enforce Strong Passwords

3. Disable RC4-HMAC Encryption

4. Enable Kerberos Logging

Learn More

Official Resources

Tools and Frameworks

Further Reading