top of page
Search

Cyber Security Interview Prep. Q9: "Kerberoasting"

  • mahfuz3895
  • Oct 4, 2021
  • 2 min read

Updated: Oct 5, 2021

Category: Red Team

Question: What is Kerberoasting? How does it work?


Kerberoasting is a post exploitation attack that can be used for lateral movement or privilege escalation on a Windows machine that is using Kerberos as an authentication method. A user account you already have access to is used to request a TGT from the Kerberos server, and the server's own TGS ticket can be captured from memory.

This can be cracked offline to gain access to the service user's account. This works because the TGS's own ticket is encrypted with the NTLM hash of the service user by design.

Note that services that Kerberos supports on a network can either have SPNs that are user-connected or host-connected. Kerberoasting only works if the target service account which you are trying to pivot into is user-based, because this means a human set the password. For host based SPNs, the passwords are longer and may rotate automatically and so are near-impossible to crack.


This attack is definitely one to try if you have acquired user credentials for any account and you know that Active Directory is being used. Another potentially viable attack is ASREP Roasting. This will be covered in the next Red Team post.


Remediation and Countermeasures


Firstly, like with ASREP Roasting, making sure the password for the Kerberos service account is a strong one that is changed often makes it much harder for an attacker to take advantage of this vulnerability. The reasoning behind this is because the hash obtained by the attacker still needs to be cracked to provide the user password. If the password is long, complex and changes often, hash cracking may prove difficult or near-impossible, boosting security.


Secondly, detection for Kerberoasting attacks can be set up by making a service account available for exploitation, and when such an account is compromised, an alert is triggered, allowing for a response. The service account would be set up to provide little to no access for the attacker once compromised and is therefore a "honeypot" or "honey account" designed solely to detect and track attackers.



Further reading:


ree



 
 
 

Comments

Post: Blog2_Post
  • Facebook
  • Twitter
  • LinkedIn

©2020 by Breakthrough Tactics

bottom of page