richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Sparks/Information Security/Kerberoasting.md

6.3 KiB
Raw Blame History

How does Kerberoasting work

What is Kerberoasting Attack?

Marshmallows & Kerberoasting

What Is a Kerberoasting Attack?

What is a Kerberoasting Attack? Detection and protection

Kerberoasting is a cyberattack that exploits weaknesses in the Kerberos authentication protocol to steal service account credentials in Active Directory environments. Here's how it works:

Attack Process

  1. Initial Access
    Attackers first gain authenticated access to the network using compromised domain user credentials. No elevated privileges are required at this stage37.

  2. Service Ticket Harvesting
    The attacker queries Active Directory for accounts with Service Principal Names (SPNs), which identify network services. Using tools like PowerShell or BloodHound, they request Kerberos service tickets (TGS tickets) for these accounts18. These tickets are encrypted with the service account's password hash5.

  3. Ticket Extraction
    Tools like Mimikatz or Rubeus extract the encrypted ticket data from memory. The attack specifically targets tickets using the weaker RC4_HMAC_MD5 encryption type rather than more secure AES encryption24.

  4. Offline Password Cracking
    Attackers use brute-force tools like Hashcat or John the Ripper to crack the hashes offline. Success depends on password strength:

    • Weak passwords (<25 characters) are vulnerable

    • Computer/managed service accounts (with 120+ character passwords) are generally safe25

Attack Stage Key Tools Used Vulnerability Exploited
Ticket Harvesting PowerShell, BloodHound SPN misconfigurations
Ticket Extraction Mimikatz, Rubeus RC4_HMAC_MD5 encryption
Password Cracking Hashcat, John the Ripper Weak service account passwords

Why It's Effective

  • Stealth: No network traffic generated during cracking4
  • Legitimate Appearance: Uses normal Kerberos functions6
  • High Reward: Service accounts often have elevated privileges3

Mitigation Strategies

  • Enforce strong passwords (25+ chars) for service accounts24
  • Use AES encryption instead of RC4 for Kerberos tickets27
  • Implement Managed Service Accounts with auto-rotated passwords5
  • Monitor for abnormal TGS ticket requests48
  • Enable Multi-Factor Authentication for sensitive accounts4

The attack chain demonstrates how attackers leverage legitimate protocol features to escalate privileges, making detection challenging without proper monitoring and encryption standards15. Regular password rotation and eliminating weak encryption types remain critical defenses24.

Citations:

  1. https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/
  2. https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/
  3. https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/
  4. https://www.strongdm.com/what-is/kerberoasting
  5. https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003
  6. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/kerberoasting/
  7. https://www.ibm.com/think/topics/kerberoasting
  8. https://www.rapid7.com/fundamentals/kerberoasting-attack/

Answer from Perplexity: pplx.ai/share