Lead Image © alphaspirit, 123RF.com

Lead Image © alphaspirit, 123RF.com

Making Kerberoasting uneconomical

Sophisticated Heist

Article from ADMIN 81/2024
By
A method known as Kerberoasting is an exploitation technique of the Kerberos authentication protocol. We take a closer look at the available safeguards and detection measures against this attack.

Unauthorized access to credentials is a part of virtually any successful cyberattack. Attackers are particularly interested in techniques that provide access credentials that allow far-reaching authorizations without immediately setting off the alarm bells on monitoring systems. Sometimes these techniques result from the functionality of Windows and Active Directory (AD).

Stolen and Broken

Kerberoasting [1] is an attack technique that relies on the ability of every user or computer to request, in Kerberos, a service ticket from the domain controller (DC) for every service. A check as to whether the requesting account has the right to do this only occurs when the service is accessed with this ticket. Therefore, if a security principal in the AD has a service principal name (SPN), any user – including a standard user or a workstation hijacked by an attacker – can grab a service ticket for this security principal from a DC.

The service ticket issued by the DC contains a part that is exclusively intended for the requested service principal and is also intended to ensure that the ticket was generated by the DC of the specified domain. For this purpose, the ticket is encrypted with the Kerberos hash of the service account, which is ideally only known to the DC and the account itself. However, the ticket contains plain text information that is known from the outset, such as the name of the requesting user, which allows the success of a decryption attempt to be verified quickly and reliably. The information attackers are looking for is not included in the payload, but used as an encryption key.

Kerberoasting therefore boils down to brute force. As a rule, the attackers first extract the complete service ticket from the compromised environment and use tools such as Hashcat or John the Ripper in their own environment to reconstruct

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus