Kerberoasting

Kerberoasting is a post-Exploitation attack technique targeting Kerberos service accounts within a Windows Active Directory environment. Attackers request and capture service ticket Hashes, which can then be brute-forced offline to reveal the associated plaintext passwords. This allows attackers to potentially escalate privileges or gain further access to network resources.

Kerberoasting focuses on Exploiting Kerberos Ticket Granting Service (TGS) tickets issued to service accounts. Since service accounts often use complex passwords and operate with elevated privileges, capturing their ticket Hashes can provide valuable information for attackers attempting to compromise a network. The attack leverages legitimate features of the Kerberos protocol, making it difficult to detect.

The purpose of Kerberoasting is to gain unauthorised access to service accounts by cracking their password Hashes. Successful attacks can allow an adversary to escalate their privileges, move laterally across the network, and potentially gain control over critical systems. Organisations often face challenges in detecting and mitigating Kerberoasting attacks due to their reliance on normal Kerberos operations.

Kerberoasting typically begins with an attacker, who has gained initial access to a network, requesting a service ticket for a Kerberos service principal name (SPN). The ticket, which contains an encrypted portion based on the service account’s password, is captured and extracted. The attacker then uses offline tools, such as Hashcat or John the Ripper, to brute-force the password from the ticket Hash.

An example of Kerberoasting involves an attacker compromising a standard user account within a domain, using tools like 'Invoke-Kerberoast' to request service tickets for SPNs, and extracting ticket Hashes for offline cracking. If successful, the attacker can uncover service account passwords and use them to access sensitive systems.

Kerberoasting poses a significant risk because it leverages legitimate Kerberos functionality and does not require direct Exploitation of software vulnerabilities. Mitigation strategies include enforcing strong, complex passwords for service accounts, regular password rotation, using Group Managed Service Accounts (gMSAs), and monitoring for unusual Kerberos ticket request activity.