Kerberosting

Kerberoasting is a popular attack technique used by cybercriminals to exploit the Kerberos protocol in Windows Active Directory environments. This blog post will discuss the inception of kerberosting, its impact on Active Directory environments, and the steps penetration testers take to use this technique in their assessments. We’ll delve into the technical details to provide a comprehensive understanding of this fascinating subject.

1. The Creation of Kerberoasting

Kerberoasting was first publicly introduced by Tim Medin in 2014 at the DerbyCon security conference. The technique exploits the Service Principal Name (SPN) in the Kerberos protocol to extract password hashes from service accounts. These hashes can be cracked offline, allowing attackers to gain unauthorized access to systems.

Kerberos is a network authentication protocol designed to provide strong authentication for client-server applications through secret-key cryptography. In Active Directory environments, the Key Distribution Center (KDC) manages the authentication process by issuing tickets to clients who request access to services.

2. Impact on Active Directory Environments

Kerberoasting poses a significant threat to Active Directory environments, as it enables attackers to compromise service accounts that are often granted elevated privileges. Once a service account’s credentials are cracked, attackers can move laterally within the network, escalate privileges, and gain access to sensitive data and systems.

Service accounts are particularly vulnerable due to their lengthy, complex passwords that are infrequently changed. This makes them prime targets for offline password cracking, as attackers can take their time to brute-force the hashes without the risk of account lockouts or detection.

3. Penetration Testing with Kerberoasting

Penetration testers leverage Kerberoasting to identify and exploit weak service account passwords in an Active Directory environment. The following steps detail the process:

Step 1: Gaining Initial Access Before executing a Kerberoasting attack, penetration testers must first gain initial access to the target network, typically through phishing, exploiting a vulnerable service, or leveraging stolen credentials.

Step 2: Enumerating Service Principal Names (SPNs) Once on the network, penetration testers use tools like PowerView or BloodHound to enumerate SPNs associated with service accounts. These tools can be executed through a PowerShell or a command prompt.

Example command using PowerView:

Import-Module .\PowerView.ps1
Get-NetUser -SPN | select -ExpandProperty serviceprincipalname

Step 3: Requesting Service Tickets After identifying the target SPNs, the penetration tester uses tools like GetUserSPNs.py (part of the Impacket library) or Invoke-Kerberoast (a PowerShell script) to request service tickets.

Example command using GetUserSPNs.py:

python GetUserSPNs.py -request -dc-ip <DomainControllerIP> <Domain>/<User>:<Password>

Step 4: Extracting and Cracking Password Hashes The tools mentioned above will return encrypted service tickets, which contain the password hashes of the service accounts. The penetration tester then saves these hashes to a file and uses password-cracking tools like John the Ripper or Hashcat to attempt to crack the hashes offline.

Example command using Hashcat:

hashcat -m 13100 -a 0 <HashFile> <Wordlist> --force

Step 5: Gaining Access and Lateral Movement Upon successfully cracking a service account password, the penetration tester can use these credentials to access other systems and services, escalate privileges, or exfiltrate sensitive data.

Kerberoasting is a powerful technique that enables attackers to exploit weaknesses in the Kerberos protocol, specifically targeting service accounts.