Kerberoasting Attack Explained - MITRE ATT&CK T1558.003

Kerberoasting is a post-exploitation attack technique that is used to obtain a password hash of an Active Directory (AD) account that has a servicePrincipalName (SPN) value.

The Complete Active Directory Security Handbook Exploitation , Detection, and Mitigation Strategies

In Active Directory, Service Principal Names (SPNs) are used to identify services and applications. SPNs are registered to user or computer accounts known as service accounts, which are specifically used to run services and applications. Service accounts are typically granted the least privilege necessary to perform their function. 

When a client requests a service from a server, it uses the SPN to locate the service account associated with the service. The client then authenticates itself to the service using the stored credentials of the service account, which are represented as a password hash within Active Directory.

In a Kerberoasting attack, an adversary exploits a vulnerability that arises in the handling of Service Principal Names (SPNs) and Ticket Granting Service (TGS) tickets within the Kerberos authentication protocol. This vulnerability allows attackers to manipulate the SPN value associated with a service account and subsequently request a TGS ticket for that account. As a result, the TGS ticket, which is encrypted with the password hash of the service account assigned to the requested SPN, becomes the prime target for the attacker.

By capturing or extracting the TGS tickets, the attacker gains access to the password hash of the service account. This provides an opportunity for the attacker to perform an offline brute force attack, aiming to crack the password hash and retrieve the plaintext password. 

Tools and Techniques to Perform Kerberoasting

While Mimikatz may be the first tool that comes to mind when thinking about Kerberoasting, it is important to note that attackers can leverage a Kerberoasting attack without mimikatz, too. Collaboration of tools such as Rubeus, Impacket, CrackMapExec, John the Ripper, and Hashcat are commonly employed by attackers during Kerberoasting attacks.

In this section, we are going to examine how adversaries use Impacket and Rubeus to abuse Kerberos in Active Directory (AD).

Tool 1: Impacket

Impacket is a valuable tool for penetration testers and hackers who interact with the Kerberos protocol and extract service account password hashes by requesting service tickets from the Key Distribution Center (KDC).

A typical Kerberoasting attack with Impacket script consists of three main parts.

Step 1: Enumerating the SPNs and requesting TGSs

1. The first step in a Kerberoasting attack is to enumerate the servicePrincipalNames (SPNs) associated with user or computer accounts in the target domain.

2. Once the SPNs are enumerated, the next step is to request Ticket Granting Service (TGS) tickets for those SPNs. 

The Impacket script GetUserSPNs.py can perform all the necessary steps to request a Ticket Granting Service (TGS) ticket for a service given its SPN and valid domain credentials:

The command above uses the GetUserSPNs.py script and specifies an output file, "kerberoastables.txt", where the obtained password hashes will be stored.

The -dc-ip flag to specify the IP address of the domain controller and the -outputfile flag to specify where the obtained password hashes will be saved. It also uses the 'DOMAIN/USER:Password' or 'DOMAIN/USER' argument to provide the domain, username and password/NT hash of a valid domain user to request the TGS ticket.

Adversaries can use the CrackMapExec (CME) tool to perform Kerberoasting attack against a list of systems specified by $TARGETS, using credentials provided by $USER and $PASSWORD. CrackMapExec is a post-exploitation tool that helps in automating the assessment of large Active Directory networks. 

The goal of the above command is to extract Kerberos tickets and save them to a file, kerberoastables.txt, enabling offline hash cracking attempts. The Key Distribution Center (KDC) is defined by $KeyDistributionCenter.

Step 2: Offline password cracking 

Having stolen password hashes, an adversary can perform an offline password cracking attack to obtain the plaintext password from using the third-party tools, such as John the Ripper and Hashcat.

The command above uses the --format=krb5tgs flag to specify that the hashes in the file "kerberoastables.txt" are in the format of Kerberos 5 TGS (Ticket Granting Service) and --wordlist flag to specify the location of the wordlist file to use in the cracking process. Once the command is executed, John will try to find a match between the password hashes and the words in the wordlist file.

Step 3: Using new privileges to further objectives

Once the password has been cracked, the attacker can use the service account's credentials to access network resources and further their objectives. This can include exfiltrating data, moving laterally within the network, or escalating their privileges. 

Tool 2: Rubeus

Rubeus is a powerful tool for executing Kerberoasting attacks against Active Directory environments. It simplifies the process by automating key steps. It helps to enumerate Service Principal Names (SPNs), request Ticket Granting Service (TGS) tickets for service accounts, and extract password hashes from memory. This gathered information can then be used for offline password cracking, leveraging the potential weakness of service account passwords. The utility of Rubeus makes it a significant asset in any Kerberoasting attack.

A Kerberoasting attack with the Rubeus tool typically consists of four main parts.

Step 1: Enumerate servicePrincipalNames

1. First step of a Kerberoasting attack is to enumerate the Service Principal Names (SPNs) of the targeted service accounts with desirable privileges. 

For this reason, adversaries can develop customized LDAP filters to look for users with SPN values registered for current domain [1].

The given LDAP code sets up a filter to query Active Directory for user objects with a Service Principal Name (SPN) set. It creates a DirectorySearcher object to perform the search from the root of the domain. The search results are then processed, creating a custom object for each user, displaying their username and the first SPN associated. This information helps to target specific service accounts with desirable privileges for a Kerberoasting attack.

Service Principal Names (SPNs) are used in Kerberos authentication to associate a service instance with a service logon account. This association enables the client to request an authenticated session with the service instance, and each SPN must be unique within the Active Directory forest. 

SPNs are composed of two parts: the service class, and the host name. 

The service class is the name of the service, such as "HTTP" or "LDAP", and the host name is the DNS host name or the IP address of the machine where the service is running.

In the output example, ServiceAccount1 and ServiceAccount2 are usernames of the service accounts, and http/webserver1 and cifs/appserver2 are the respective SPNs for these accounts. The first represents an HTTP service running on webserver1, and the second represents a file sharing (CIFS) service on appserver2.

Step 2: Requesting TGS tickets 

2. In the second step of a Kerberoasting attack, the attacker requests Ticket Granting Service (TGS) tickets for these service accounts. 

Tools such as Rubeus can be used to automate this process by extracting the password hashes from memory. 

Let’s explain this command.

The command .\Rubeus.exe kerberoast /simple /outfile:passwordhashes.txt requests Ticket Granting Service (TGS) tickets for service accounts from the Key Distribution Center and extracts the password hashes, storing them in passwordhashes.txt. The Get-Content command is then used to display the contents of this file, including the extracted password hashes of the targeted service accounts, which can be subjected to offline cracking attempts later.

Step 3: Cracking the password offline

3. The next step in the attack is to obtain the plaintext passwords of the service accounts, this process is done by performing an offline password cracking attack. 

Offline password cracking attacks do not require attackers to communicate with the active directory, making the attack undetectable. 

To perform an offline password cracking attack, the attacker can use different tools such as John the Ripper and Hashcat, that are designed specifically for password cracking with dictionaries of common passwords:

The command uses the hashcat.exe executable and specifies the following flags:

• -m 13100: This flag is used to specify the hash type, in this case Kerberos 5 TGS (Ticket Granting Service)

• -o cracked.txt: This flag is used to specify the output file where the cracked passwords will be saved

• -a 0: This flag is used to specify the attack mode, in this case 0 stands for "Straight" attack mode.

The command also specifies the file paths of the passwordhashes.txt and wordlist.txt. Once the command is executed, Hashcat will try to find a match between the password hashes in the passwordhashes.txt file and the words in the wordlist.txt file.

Step 4: Using new privileges to further objectives

Once the password has been cracked, the attacker can use the service account's credentials to access network resources and further their objectives.

For instance, having the account credentials, the adversary can use the runas tool with the /netonly parameter to run PowerShell as the "ServiceAccount1" user.

How to Detect Kerberoasting Attack?

It is possible to identify various signs of Kerberoasting by observing the Windows event log for unusual requests for ticket-granting service (TGS).

By closely monitoring and analyzing these events, one can identify patterns or abnormalities that may signify a Kerberoasting attack. The event logs might reveal multiple TGS requests for the same service, which could be a sign that an attacker is trying to request service tickets to extract and crack their password hashes.

Detecting a Kerberoasting Attack with the Windows Event ID 4769

Event ID 4769 - A Kerberos Service Ticket was requested

• Key Description Fields: Account Name, Service Name, Client Address

The key Windows Event ID for detecting a Kerberoasting attack is the Event ID 4769.  Windows event ID 4769 is generated whenever a Kerberos Ticket Granting Service (TGS) request is received by the Key Distribution Center (KDC). 

Detecting a Kerberoasting Attack with the Windows Event ID 4770

Event ID 4770 - A Kerberos Service Ticket was renewed

• Key Description Fields: Account Name, User ID, Service Name, Service ID

Windows Event ID 4770 is associated with the renewal of a Kerberos service ticket. When monitoring for Kerberoasting attacks, this event could provide useful insight but might not be as direct as event ID 4769.

In a Kerberoasting attack, the attacker may attempt to extend the lifetime of a ticket or renew it to maintain access. Thus, a high frequency of ticket renewal requests (Event ID 4770) for the same account could be a potential sign of such an attack.

The key description fields like 'Account Name', 'User ID', 'Service Name', 'Service ID' provide important information about the user and service related to the renewed ticket. Analyzing these fields can help identify unusual or suspicious activities. However, it's worth noting that the renewal of a service ticket alone is a normal activity within a network and doesn't necessarily indicate a Kerberoasting attack. It becomes suspicious when it's coupled with other indicators like high frequency or abnormal patterns of renewals.

How to Stop and Mitigate Kerberoasting Attacks?

To safeguard service account passwords from Kerberoasting attacks, several measures can be taken such as:

Mitigation Technique 1: Rejecting authentication requests not using Kerberos Flexible Authentication Secure Tunneling (FAST) 

To protect service account passwords against Kerberoasting attacks, organizations can enable Kerberos Flexible Authentication Secure Tunneling (FAST). 

FAST, also known as Kerberos Armoring, provides an additional layer of protection by establishing a secure and authenticated channel between the domain controller and the client. It forces the use of stronger encryption during the Kerberos pre-authentication process and thus prevents attackers from intercepting and manipulating the Kerberos traffic, which is exactly what happens in a Kerberoasting attack.

By requiring pre-authentication to use FAST, organizations can significantly increase the complexity required for an attacker to successfully perform a Kerberoasting attack. 

Mitigation Technique 2: Eliminating the use of insecure protocols in Kerberos 

To mitigate Kerberoasting attacks, organizations can configure individual service accounts to not accept the RC4 protocol. This can be done by setting the attribute msDS-SupportedEncryptionTypes to 0x18 (decimal 24), which will only enable AES128 and AES256. This change not only improves security but also makes it easier to detect malicious activity.

Mitigation Technique 3: Adopting strong password hygiene practices for service accounts 

To mitigate Kerberoasting attacks, organizations should adopt strong password hygiene practices for service accounts. 

Here are some additional details about strong password hygiene practices for service accounts:

• Service account passwords should be randomly generated. This means that they should not be based on any personal information, such as names, dates, or other easily guessed words or phrases.

• Service account passwords should have a minimum length of 30 characters. This makes them more difficult to crack using brute force or dictionary attacks.

• Service account passwords should be changed frequently. This helps to mitigate the risk of an attacker guessing or cracking the password.

By following these strong password hygiene practices, organizations can help to protect their service accounts from Kerberoasting attacks and other security threats.

References

[1] “Kerberoasting Attack”. [Online]. Available: https://snikt.net/blog/2023/01/25/active-directory-using-ldap-queries-for-stealthy-enumeration/ [Accessed: Jan. 13, 2023]

The Red Report 2023 The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries