Execution of kerberoasting attack - ties2/Red-Team GitHub Wiki

Kerberoasting is a technique that allows an attacker to extract password hashes for service accounts from Active Directory (AD) without the need for privileged access. This technique can be used to gain access to sensitive information such as credentials, data, and resources that are protected by service accounts. Service accounts are used to run services on servers or workstations, and are often configured with weak or default passwords, making them a prime target for attackers.

In this essay, we will discuss the concept of kerberoasting and how it can be used by attackers to gain access to sensitive information. We will also explore some examples of how this attack can be executed, as well as some best practices for preventing it.

Kerberos Authentication:

Kerberos is a network authentication protocol that provides a secure way for users to authenticate to network resources. When a user logs in to a computer or server, their credentials are authenticated by a domain controller using Kerberos. If the credentials are valid, a session ticket is generated that allows the user to access network resources.

Service accounts are also authenticated using Kerberos, but instead of using the user's credentials, they use a set of credentials known as a service principal name (SPN). An SPN is a unique identifier that is assigned to a service account, and it is used by clients to authenticate to the service. When a client sends a request to a service, the service checks the SPN to ensure that the request is coming from an authorized client.

Kerberoasting Attack:

Kerberoasting is a type of attack that targets service accounts in Active Directory. It is a form of offline attack, meaning that the attacker does not need to be connected to the network to carry out the attack. Instead, the attacker can use tools such as PowerView or Mimikatz to extract the password hashes for service accounts from Active Directory.

To execute a kerberoasting attack, the attacker first needs to identify service accounts that are vulnerable to the attack. Service accounts are vulnerable if they have an SPN configured and the "Do not require Kerberos preauthentication" option is enabled for the account. This option is often enabled by default, and it allows an attacker to request a service ticket for the account without providing a password.

Once the attacker has identified a vulnerable service account, they can use a tool like PowerView to extract the SPN and associated password hash from Active Directory. The attacker can then use a tool like Hashcat to crack the password hash, giving them access to the service account's credentials.

Once the attacker has access to the service account's credentials, they can use them to gain access to sensitive information, such as data or resources that are protected by the account. This can include access to databases, file shares, or other network resources.

Preventing Kerberoasting:

There are several best practices that organizations can implement to prevent kerberoasting attacks. These include:

Enabling Kerberos preauthentication: By enabling Kerberos preauthentication, service accounts will require a password to be provided before a service ticket can be requested. This prevents an attacker from being able to request a service ticket without providing the correct password.

Regularly rotating service account passwords: By regularly rotating service account passwords, organizations can reduce the risk of an attacker being able to crack a password hash and gain access to the account's credentials.

Implementing strong password policies: Strong password policies can help prevent attackers from being able to crack password hashes. Password policies should require passwords to be complex and difficult to guess.

Monitoring for unusual activity: Organizations should monitor their network for unusual activity, such as large numbers of service ticket requests for a single account. This can help identify potential kerberoasting attacks.