richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaning up the Sparks folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 09:31:41 +02:00
parent eb610a79b6
commit 96cd8fea7b
78 changed files with 149 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

68
Corpus/Sparks/Information Security/Kerberoasting.md Normal file
View file

@ -0,0 +1,68 @@
# How does Kerberoasting work
![What is Kerberoasting Attack?](https://d2u1z1lopyfwlx.cloudfront.net/thumbnails/da7d7f75-5240-5121-bcdb-42661d3658c7/39b56d8f-e141-5ba9-92d5-2add2173801a.jpg)
![Marshmallows & Kerberoasting](https://d2u1z1lopyfwlx.cloudfront.net/thumbnails/2b2fb80f-f352-5083-a050-97c5e70f18ff/1fe3cf37-8aca-5bbe-aa76-413147f4878b.jpg)
![What Is a Kerberoasting Attack?](https://lh7-rt.googleusercontent.com/docsz/AD_4nXflXNwTJwVm5OsvsXfq4CGVVVKtItVVE3FsJ7AO8aPWjUKPDh8swLeaih7NmGa6J5z6GjRDSwZjDfhXZrzbxUNUZ76hy8nizDLTnOkZa2B1HkQ5E4HKozH_qGIhzZeCaGmji5rr-ELqwUgXp_T0h4LfRg_g?key=sPnmmEBG5LKzk6cI9huPzg)
![What is a Kerberoasting Attack? Detection and protection](https://d2u1z1lopyfwlx.cloudfront.net/thumbnails/48a8bb2d-0fc4-5754-b710-56856837c3e2/f47ab36e-fb8f-5a32-a7d2-89b3d60c4633.jpg)
Kerberoasting is a cyberattack that exploits weaknesses in the Kerberos authentication protocol to steal service account credentials in Active Directory environments. Here's how it works:
## Attack Process
1. **Initial Access**
Attackers first gain authenticated access to the network using compromised domain user credentials. No elevated privileges are required at this stage[3](https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/)[7](https://www.ibm.com/think/topics/kerberoasting).
2. **Service Ticket Harvesting**
The attacker queries Active Directory for accounts with Service Principal Names (SPNs), which identify network services. Using tools like PowerShell or BloodHound, they request Kerberos service tickets (TGS tickets) for these accounts[1](https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/)[8](https://www.rapid7.com/fundamentals/kerberoasting-attack/). These tickets are encrypted with the service account's password hash[5](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003).
3. **Ticket Extraction**
Tools like **Mimikatz** or **Rubeus** extract the encrypted ticket data from memory. The attack specifically targets tickets using the weaker RC4_HMAC_MD5 encryption type rather than more secure AES encryption[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[4](https://www.strongdm.com/what-is/kerberoasting).
4. **Offline Password Cracking**
Attackers use brute-force tools like **Hashcat** or **John the Ripper** to crack the hashes offline. Success depends on password strength:
- Weak passwords (<25 characters) are vulnerable
- Computer/managed service accounts (with 120+ character passwords) are generally safe[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[5](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003)
|Attack Stage|Key Tools Used|Vulnerability Exploited|
|---|---|---|
|Ticket Harvesting|PowerShell, BloodHound|SPN misconfigurations|
|Ticket Extraction|Mimikatz, Rubeus|RC4_HMAC_MD5 encryption|
|Password Cracking|Hashcat, John the Ripper|Weak service account passwords|
## Why It's Effective
- **Stealth**: No network traffic generated during cracking[4](https://www.strongdm.com/what-is/kerberoasting)
- **Legitimate Appearance**: Uses normal Kerberos functions[6](https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/kerberoasting/)
- **High Reward**: Service accounts often have elevated privileges[3](https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/)
## Mitigation Strategies
- **Enforce strong passwords** (25+ chars) for service accounts[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[4](https://www.strongdm.com/what-is/kerberoasting)
- **Use AES encryption** instead of RC4 for Kerberos tickets[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[7](https://www.ibm.com/think/topics/kerberoasting)
- **Implement Managed Service Accounts** with auto-rotated passwords[5](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003)
- **Monitor** for abnormal TGS ticket requests[4](https://www.strongdm.com/what-is/kerberoasting)[8](https://www.rapid7.com/fundamentals/kerberoasting-attack/)
- **Enable Multi-Factor Authentication** for sensitive accounts[4](https://www.strongdm.com/what-is/kerberoasting)
The attack chain demonstrates how attackers leverage legitimate protocol features to escalate privileges, making detection challenging without proper monitoring and encryption standards[1](https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/)[5](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003). Regular password rotation and eliminating weak encryption types remain critical defenses[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[4](https://www.strongdm.com/what-is/kerberoasting).
### Citations:
1. [https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/](https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/)
2. [https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)
3. [https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/](https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/)
4. [https://www.strongdm.com/what-is/kerberoasting](https://www.strongdm.com/what-is/kerberoasting)
5. [https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003)
6. [https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/kerberoasting/](https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/kerberoasting/)
7. [https://www.ibm.com/think/topics/kerberoasting](https://www.ibm.com/think/topics/kerberoasting)
8. [https://www.rapid7.com/fundamentals/kerberoasting-attack/](https://www.rapid7.com/fundamentals/kerberoasting-attack/)
---
Answer from Perplexity: [pplx.ai/share](pplx.ai/share)