Kerberoasting

Kerberoasting

Kerberoasting is a method used for lateral movement and privilege escalation within Active Directory environments. This attack specifically targets Service Principal Names (SPN) accounts. SPNs serve as unique identifiers utilized by Kerberos to associate a service instance with a service account under which the service operates.

Prerequisite

To execute Kerberoasting attacks, you need either clear domain user credentials, just the NTLM hash (if utilizing Impacket), or a shell within the domain user’s context or an account like SYSTEM.

Depending on your network access level, Kerberoasting attacks can be carried out through various methods:

1. Using valid domain user credentials from a non-domain joined Linux host.
2. Accessing as root from a domain-joined Linux host after obtaining the keytab file.
3. Authenticating as a domain user from a domain-joined Windows host.
4. Gaining a shell within the context of a domain account from a domain-joined Windows host.
5. Operating as SYSTEM on a domain-joined Windows host.
6. Employing “runas /netonly” from a non-domain joined Windows host.

Enumeration

To enumerate Service Principal Names (SPNs) and identify potential targets for Kerberoasting, security professionals often utilize tools like GetUserSPNs.py. This script is particularly effective in Active Directory environments for extracting SPN account information. The -request flag will pull the tickets.

GetUserSPNs.py -dc-ip $IP $DOMAIN/$Username -request 

Password Cracking

After obtaining the ticket, we can utilize tools like hashcat or John the Ripper to attempt to crack the password encrypted within the ticket.

hashcat -m 13100 $HashInFile $WORDLIST

Verify Access

We can verify our access level and confirm that we possess Domain Admin rights by authenticating to the target Domain Controller (DC). This can be achieved by employing tools like “crackmapexec” with appropriate parameters.

sudo crackmapexec smb $IP -u $USER -p $Password

Protection

The three main points for protecting against Kerberoasting attacks:

Enforce Strong Authentication: Implement strong password policies, encourage regular password changes, and use managed service accounts (MSAs) or group managed service accounts (gMSAs) to reduce the risk of password compromise.

Monitor and Limit Service Accounts: Regularly monitor service principal name (SPN) usage, limit the number of accounts with SPNs assigned, and use privileged access management (PAM) to restrict access to sensitive resources.

Network Segmentation and Awareness: Implement network segmentation to restrict lateral movement, educate users and IT staff about the risks of Kerberoasting and other credential-based attacks, and keep systems patched and updated to mitigate known vulnerabilities.

By focusing on these key points, organizations can significantly enhance their defenses against Kerberoasting and improve the overall security of their Active Directory environments.

Read my other blogs at this page.