Open in app

Sign in

Write

Sign in

Active Directory Kerberoasting attack

Samyakt Jain
4 min readSep 13, 2024

--

Kerberoasting is a type of cyber attack that targets the Kerberos authentication used in Active Directory (AD). In this attack, hackers exploit weaknesses in how Kerberos handles service tickets to steal service account credentials.

Some basic terms

Kerberos defines two different types of account/Principles

  • UPN(User Principle Name)
  • SPN(Service Principle Name).

In Kerberos, only user accounts have a User Principal Name (UPN) associated with them. Service Principal Names (SPNs), on the other hand, can be assigned to both user accounts and computer accounts. However, SPNs are automatically defined for computer accounts.

A Service Principal Name (SPN) specifies the services that operate under the security context of an account. SPNs are defined for user accounts when a service or application runs under that user’s security context. These types of user accounts are commonly referred to as “Service Accounts.”

Examples when a user account has SPN defined

Source: learn.microsoft.com

Key Components of Kerberos Authentication

  • Key Distribution Center (KDC): The KDC is a crucial component in the Kerberos authentication protocol, responsible for validating user identities. Typically hosted on a domain controller, the KDC comprises two main server elements: the Authentication Server (AS) and the Ticket Granting Server (TGS).
  • Authentication Server (AS): The Authentication Server is responsible for verifying a principal’s identity and, upon successful authentication, issuing a Ticket Granting Ticket (TGT). This TGT enables the principal to request service tickets from the Ticket Granting Server (TGS). A valid TGT is stored in the credentials cache for each domain that the principal has accessed resources in.
  • Ticket Granting Server (TGS): The Ticket Granting Server issues service tickets when a principal requests access to a Kerberos-protected service. Before a service ticket can be granted, the principal must first present a valid Ticket Granting Ticket (TGT) for the Active Directory domain.

Kerberos Ticketing Process

source: learn.microsoft.com

KRB_AS_REQ: The client sends the request to AS for TGT. Now what AS_REQ consists, it consists of current computer time and encrypting with user password hash and UPN, this information is called Authentication data

KRB_AS_REP: After verifying the above Authentication data, kdc acknowledges to the client with KRB_AS_REP to the client with a TGT and session key for the TGT.

KRB_TGS_REQ: Now the client able to request a service ticket because it has a valid TGT. The client then send a request to TGS for service ticket it know as KRB_TGS_REQ.

KRB_TGS_REP: This is where the client gets a hash from the service account. After the KDC confirms the validity of the TGT provided with the Service Ticket request, it replies to the client with a KRB_TGS_REP message. This response includes both the Service Ticket and the session key for the service.

Kerberoasting Attack

Kerberoasting is a cybersecurity attack technique targeting the Kerberos authentication protocol used within Active Directory (AD) environments. In a Kerberoasting attack, an attacker exploits a vulnerability in the way Kerberos handles service tickets to obtain service account credentials.

Here’s how a typical Kerberoasting attack works:

Enumeration of Service Principal Names (SPNs): The attacker enumerates the AD to identify service accounts. Each service account has an associated SPN that can be requested.

GetUserSPNs.py <Domain/username:password> -dc-ip <IP of DC> -request

Requesting Service Tickets (TGS): The attacker requests a Ticket Granting Service (TGS) ticket (i.e. Security Token) for the identified SPNs. These requests can be made by any authenticated user in the AD.

Extracting the Service Tickets: Once the TGS tickets are received, they are extracted from memory. These tickets are encrypted using the service account’s password hash.

  • Rubeus fully automates the process request and extract ticket
PS> .\Rubeus.exe kerberoast /simple /outfile:hashes.txt

Offline Cracking: The attacker attempts to crack the encryption on the TGS tickets offline. Tools like Hashcat or John the Ripper can be used to perform brute-force or dictionary attacks against the ticket to recover the plaintext password of the service account.

PS> .\hashcat.exe -m 13100 -o cracked.txt -a 0 .\Hash.txt .\wordlist.txt

Escalating Privileges: Once the attacker obtains the service account credentials, they can use them to further their access within the network, often leveraging the service account’s permissions to escalate privileges or move laterally within the network.

PS> runas /netonly /User:ServiceAccount1 powershell.exe

Note: There are various commands and methods available for performing Kerberoasting attacks.

I hope this article provides you with a clear understanding of Kerberoasting. If you encounter any difficulties or have questions, please don’t hesitate to reach out to me.

Please follow me on Medium and LinkedIn for more updates.

Active Directory
Kerberoasting
Oscp
Cybersecurity
Oscp Preparation

--

--

Samyakt Jain

Written by Samyakt Jain

14 Followers

https://www.linkedin.com/in/samyakt-jain-a44754168/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams