What is Kerberoasting, and how does it work?

Kerberoasting is a post-exploitation attack (an attack that’s carried out on a system that’s already been compromised) hackers use for persistence, privilege escalation, and lateral movement in a compromised system. It targets the Kerberos protocol to get password hashes for Active Directory service accounts with Service Principal Names (SPNs).

That’s a mouthful, isn’t it?

Essentially, Kerberoasting enables hackers to obtain and exploit weak or poorly managed service account passwords. Why is a service account an enticing target? Typically, service accounts have more privileges than regular accounts.

Jumping from a regular account to a service account enables attackers to escalate their privileges, potentially even to a domain admin level. And having domain admin access could let the attacker control, manipulate, and misconfigure the Active Directory system at their will.

To understand how Kerberoasting works, let’s first look at the Kerberos authentication and its role in Active Directory.

How Kerberos authentication works

Let’s use a city fair analogy to explain Kerberos protocol authentication. Imagine you want to try out a Ferris wheel in the middle of the fair, filled with a bunch of other attractions. Here’s how you’d go about it:

1. When you arrive, you’ll need to pay money to receive an entrance stamp for the fair. In the same way, you enter your credentials on your computer, and the authentication server grants you access to your corporate network. Your computer requests the Ticket-Granting Service (TGS) tickets (an entrance stamp for the fair) from the authentication server or a domain controller to enter the network.
2. Once inside, you can’t just jump on the Ferris wheel. You’ll need to go to the ticket booth (key distribution center) and get a ticket for the Ferris wheel. The Ferris wheel is the server with your work files and resources. Meanwhile, the Ferris wheel ticket is the service-specific valid session key and service ticket.
3. Now that you have your ticket (session key and ticket), the Ferris wheel attendant (service server) will confirm that you’re old and tall enough to ride and allow you in (grant you access to the server with files and resources).

The ticket is valid for one ride, so if you want to enjoy the Ferris wheel again, you have to repeat the whole process.

Where does Kerberoasting come in?

Kerberoasting is possible because of the way a Kerberos service ticket is created. It doesn’t just enable access to specific work files or resources. The service ticket also contains an encrypted password hash of a service account.

Also, the key distribution center (the ticket booth for the Ferris wheel) does not decide if the user should have the ticket — the target service determines. So any user (or fair visitor) can ask for a ticket to any attraction. Let’s take a look at how Kerberoasting works using the same city fair analogy:

1. The attacker is already walking around at the city fair. As mentioned above, this is a post-exploitation attack, which means the attacker already has access to a user account (as a fair visitor, in our analogy).
2. The attacker is scouting the area for specific target attractions or booths. These attractions are the service accounts in Active Directory with a Service Principal Name . A Service Principal Name is a unique identifier that ties hosts and services to identities.
3. If a Service Principal Name is set on a user account, the attacker can request a ticket (session key and service ticket) from the booth (key distribution center) tied to a specific account.
4. When the attacker receives a ticket from the ticket booth, it’s not just the entrance to the Ferris wheel. If an SPN is set, the ticket comes with encrypted information, including the service account’s hashed password.
5. After receiving the tickets for the attractions, the attacker collects and stores them away from the fair. The encrypted information alone can’t do them any good.
6. In their secret hideout, a tent away from the fair, they can begin another type of attack — password cracking. If the passwords are weak, they can be cracked offline by a brute force attack.
7. If they succeed and manage to crack the service account with elevated privileges, they don’t just have access to the Ferris wheel. Depending on the level of privileges, they could even pretend to be workers at the fair and have behind-the-scenes access. In this case — control of the Active Directory environment.

Despite being discovered in 2014, Kerberoasting has persisted for nearly a decade since the attack’s detection. So why does Kerberoasting still happen?

• The attacker doesn’t need elevated privileges to perform Kerberoasting — no need to hack the CEO.
• Any authorized user accounts can be used for Kerberoasting since they can see which service accounts have Service Principal Name set.
• Kerberoasting is hard to detect since authorized user accounts can request service tickets in the Active Directory environment.
• Mostly, Kerberoasting is relatively low effort and high reward. If the attacker manages to get a password hash of a weak password, something as simple as a dictionary attack could work in cracking the password.
• Worst still, other types of attacks exploit the Kerberos authentication protocol. In addition to Kerberoasting, Golden Ticket attack, Mimikatz, and Skeleton Key are ways to abuse Kerberos.

• Monitor user accounts. Look out for suspicious activity coming from both user and service accounts.
• Analyze Windows Event logs. Look out for suspicious activity related to Kerberos operations.
• Inspect Kerberos service ticket requests. Especially look out for the number of service ticket requests spiking.
• Look out for irregularities related to Service Principal Names. Pay close attention to the creation and modification of the Service Principal Names.

• Educate yourself and everyone within the organization. Ensure you and your team know about digital hygiene, keeping your digital identity safe, and the dangers of identity theft.
• Malware also plays a significant role in gaining unauthorized access to a network, so make sure you have anti-malware software installed.
• Ensure password hygiene in your organization. Weak passwords are vital to the success of Kerberoasting, so make sure your team knows how to create strong, unique passwords. A password manager could make this practice significantly more manageable.
• Enable multi-factor authentication wherever possible. It provides an extra layer of security against unauthorized access to your network, even if someone’s credentials were compromised and ended up on the dark web.
• Consider implementing the zero-trust security model in your organization. It can help manage external and internal threats in your company.
• Use endpoint protection. The more devices are connected to your network, the more crucial endpoint security is.
• Be proactive — monitor the Active Directory environment. Look out for suspicious activity and request service tickets. Identify accounts with privileged access and take extra vigilance in ensuring their safety.