Hacker Insights is a series of blog posts meant to provide an understanding of the tools, mindset, methodologies, and history of attackers – from overviews to in-depth technical explanations.
During a recent penetration testing engagement, the OCD Tech team found great value in a technique known as Kerberoasting, which was ultimately used to gain Domain Administrator privileges to the target domain. In this installment of Hacker Insights, we’ll dive into how this technique can be leveraged by pentesters and hackers alike, as well as options for mitigating the risk associated with this type of attack.
What is Kerberoasting?
Kerberoasting is an attack technique which leverages the Kerberos protocol to obtain encrypted credentials of service accounts which can then be cracked offline. Kerberoasting can be performed with minimal privileges on a domain with very little effort, making it a low hanging fruit for an opposing force in unprepared environments.
Briefly explained, the Kerberos protocol is used within an Active Directory domain to mutually authenticate a client and server on a network, in order to ensure the client is authorized to access the requested resource. Kerberos authentication starts with a client authenticating to an Authentication Server (AS) to gain a Ticket Granting Ticket (TGT) which is used make a service request to obtain a Ticket Granting Service (TGS) Ticket to any Service Principal Name (SPN) on a Domain Controller.
That’s the simp but the important bit is that Windows uses SPNs as unique identifiers for service instances which are tied to either computer accounts or domain user accounts. Part of the SPN is encrypted with the NTLM hash of the domain account associated with the requested resource. This association between the service and domain account within an SPN is where the kerberoasting attack technique finds leverage.
Since any valid user on a domain with a TGT can request an SPN from a Domain Controller, an attacker on the network with domain account credentials, even for an unprivileged account, may utilize those credentials to easily dump all password hashes associated with SPNs. Once the hashes have been dumped, there are a variety of offline password cracking tools that can be used to obtain the plaintext password.
There is no perfect fix to stop this type of attack technique, as Active Directory relies on this information to be accessible by domain users and computers. The best countermeasure can be implemented via a robust password policy which includes a requirement for long password lengths. Since these password hashes can be easily obtained, the ideal option is to ensure the password length and complexity will not allow for the hash to be cracked quickly. Additionally, password rotations should be performed often enough that the password would be replaced before it got cracked. This will ensure compromised credentials can no longer be utilized even if they are cracked by an attacker.
For more information, questions about this article, or inquiries about OCD Tech services, please contact us.
