Lead Image © alphaspirit, 123RF.com
Making Kerberoasting uneconomical
Sophisticated Heist
Unauthorized access to credentials is a part of virtually any successful cyberattack. Attackers are particularly interested in techniques that provide access credentials that allow far-reaching authorizations without immediately setting off the alarm bells on monitoring systems. Sometimes these techniques result from the functionality of Windows and Active Directory (AD).
Stolen and Broken
Kerberoasting [1] is an attack technique that relies on the ability of every user or computer to request, in Kerberos, a service ticket from the domain controller (DC) for every service. A check as to whether the requesting account has the right to do this only occurs when the service is accessed with this ticket. Therefore, if a security principal in the AD has a service principal name (SPN), any user – including a standard user or a workstation hijacked by an attacker – can grab a service ticket for this security principal from a DC.
The service ticket issued by the DC contains a part that is exclusively intended for the requested service principal and is also intended to ensure that the ticket was generated by the DC of the specified domain. For this purpose, the ticket is encrypted with the Kerberos hash of the service account, which is ideally only known to the DC and the account itself. However, the ticket contains plain text information that is known from the outset, such as the name of the requesting user, which allows the success of a decryption attempt to be verified quickly and reliably. The information attackers are looking for is not included in the payload, but used as an encryption key.
Kerberoasting therefore boils down to brute force. As a rule, the attackers first extract the complete service ticket from the compromised environment and use tools such as Hashcat or John the Ripper in their own environment to reconstruct
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Focusing on security in Active Directory
To prevent an intruder attack in Active Directory, Windows Server's security features along with freeware monitoring can save the day. -
Protect privileged accounts in AD
Granular protection for highly privileged accounts is granted by the Protected Users group in Active Directory and Kerberos authentication policies. -
Ticket Management with osTicket
osTicket is a lean ticket system that limits itself to the core functions of receiving and processing requests. -
Cyber security for the weakest link
The balance between IT threats and IT security is woefully unbalanced in a Windows environment, requiring the enforcement of company-wide security standards. -
Pre-authentication for Kerberos services
The Kerberos protocol makes the process of logging in to a service completely transparent to the user. The MIT Kerberos library lets you implement different security requirements for individual services.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
