Cyberoaming — Kerberoasting Attack
Learning About Kerberoasting Attack
Today, let's talk about the Kerberoasting attack. First, we need to understand Kerberos. Kerberos is a ticket system that helps simplify the authentication process for accessing different services within the same network. The abbreviations in the diagram and the introduction are explained at the end.
What is a Kerberoasting Attack?
As shown in the diagram, after the user completes authentication (steps 1 and 2), when the user requests access to a service (step 3), the KDC (Key Distribution Center) will issue a TGS-REP (Ticket Granting Service Response) to the user. This ticket is encrypted using the password hash of the service manager associated with the SPN (Service Principal Name). We can intercept this step (step 4).
After intercepting, we can use tools like Hashcat or John the Ripper offline to crack it. If successful, we will obtain the password of the service account user.
In many cases, because service accounts need frequent access, their passwords are often simple or directly use the service name, such as sql_svc or mssql_svc. There might also be password reuse, which can be advantageous during later pivoting processes.
How to Prevent It?
- Use complex passwords for service account users.
- Regularly check Access Control Lists (ACLs) and remove unnecessary ones.
- Continuously monitor changes in ACLs.
Glossary
Authentication Service (AS): The service used for authentication; the first step in Kerberos authentication.
Ticket Granting Ticket (TGT): A temporary ticket that allows users to request TGS without needing to re-authenticate.
Ticket Granting Services (TGS): The ticket required to interact with a service.
Key Distribution Center (KDC): Handles initial authentication and issues TGS.
Service Principal Name (SPN): The unique identifier for a service. The KDC uses this when a user requests to interact with the service.
Cyber folks, till next time…….
