other

Kerberoasting - Identifying Vulnerable Accounts and Tools for the Task

Gabriel Haab

2 min read
Kerberoasting - Identifying Vulnerable Accounts and Tools for the Task

Kerberoasting is a post-exploitation technique that attackers use to harvest Kerberos service account credentials in Windows Active Directory environments. By exploiting how Kerberos authentication works, adversaries can extract service tickets and attempt to crack the associated hashed credentials offline, potentially gaining access to high-privilege accounts. This article will explore how Kerberoasting works, methods to identify vulnerable accounts, and tools commonly used for this task.

How Kerberoasting Works:

  1. SPN Enumeration: Attackers enumerate SPNs to find accounts linked to services within the domain.
  2. Ticket Request: Once an SPN is identified, the attacker requests a Kerberos Ticket Granting Service (TGS) ticket for the associated service.
  3. Ticket Extraction: The obtained TGS ticket is encrypted with the service account’s NTLM hash. Attackers extract the ticket to an offline environment.
  4. Password Cracking: Using brute-force or dictionary attacks, the NTLM hash is cracked to recover the service account's plaintext password.

This technique is effective because Kerberos does not limit who can request tickets for SPNs, and cracking the password offline allows attackers to bypass account lockout thresholds.

Identifying Vulnerable Accounts

The success of Kerberoasting depends on poorly managed service accounts. Identifying such accounts is key to both attackers and defenders. Characteristics of Vulnerable Accounts:

  1. Weak Passwords: Accounts with simple, easily guessable passwords are prime targets.
  2. High Privilege Levels: Service accounts with elevated privileges pose a greater risk if compromised.
  3. Kerberos Preauthentication Disabled: Accounts without Kerberos Preauthentication are more susceptible to certain attacks.
  4. No Password Rotation: Accounts whose passwords haven’t been changed for years increase the risk of compromise.
  5. Unused or Dormant Accounts: Stale service accounts often remain unnoticed but accessible.
  6. Steps to Identify Vulnerable Accounts
  7. SPN Analysis: Use tools or scripts to identify accounts with SPNs.
  8. Password Policies Review: Check if these accounts adhere to organizational password complexity and rotation policies.
  9. Audit Logs: Look for suspicious activity involving TGS requests from unusual users or machines.

Common Tools for Kerberoasting

Several tools make it easier to perform Kerberoasting attacks or analyze the environment for vulnerabilities. Here's an overview:

For Attackers

  1. Impacket’s GetUserSPNs.py Part of the Impacket suite, this tool extracts SPNs and requests TGS tickets. Command: python GetUserSPNs.py domain/username: password
  2. Rubeus A C# tool that performs various Kerberos attacks, including Kerberoasting. Command: Rubeus.exe kerberoast /format:hashcat
  3. PowerView A PowerShell module for enumerating domain objects and SPNs. Command: Get-DomainUser -SPN
  4. Kerbrute Focuses on brute-forcing Kerberos logins and enumerating SPNs.

For Defenders

  1. BloodHound Maps Active Directory relationships, highlighting accounts with SPNs and identifying misconfigurations. Useful for spotting potential attack paths.
  2. Microsoft ATA/Defender for Identity Monitors Kerberos traffic for anomalous TGS requests.
  3. Log Analysis Tools (SIEM) Search for patterns in logs that indicate Kerberoasting attempts: Event ID 4769: A Kerberos service ticket was requested. Look for a high number of TGS requests from a single user.
  4. Purple Knight / Ping Castle Assesses Active Directory security and flags potential Kerberoasting vulnerabilities. Mitigation Strategies

To defend against Kerberoasting, implement the following measures:

  1. Enforce Strong Password Policies:
  2. Use SIEM solutions to flag unusual patterns in TGS ticket requests.
  3. Restrict Privileges
  4. Enable Kerberos Pre-authentication:
  5. Prevent brute-force attacks on service accounts.
  6. Regular Auditing:

Conclusion

Kerberoasting is a potent attack vector, but with proactive measures and a solid understanding of the Active Directory environment, organizations can minimize their exposure. By identifying vulnerable accounts, monitoring for unusual activity, and employing strong security practices, defenders can stay a step ahead of attackers. Moreover, tools like BloodHound and Microsoft Defender for Identity can provide valuable insights into the state of Active Directory security, enabling faster response and remediation.