What is Kerberoasting? The term comes from Kerberos, the authentication protocol used by Active Directory to validate the identity of users and machines attempting to access network resources.
Kerberoasting is a post-exploitation technique that allows an attacker who already has a standard user account on the network to retrieve the password of a service account associated with a Service Principal Name (SPN). If the attack succeeds, they can then use this account to extend their control over all or part of the Active Directory infrastructure.
Multi-Step Attack
How does the attack unfold in practice? The mechanism is somewhat technical, but it can be summarized in five broad steps:
- The hacker begins by exploiting a Windows user account that is already present in the Active Directory. They may have gained access to this account through classic, but effective, methods such as phishing or malware designed to steal credentials.
- They then identify a service account associated with an SPN, using tools like Rubeus from the GhostPack suite. These service accounts are particularly sensitive because they often hold elevated privileges, or even domain administrator rights.
- With the compromised account under their control, the attacker requests a service ticket (the TGS – Ticket Granting Service ticket) from the Active Directory’s ticket-granting service. This ticket contains the targeted SPN and is encrypted using the password hash of the target account.
- The ticket is then extracted and attacked offline, allowing the hacker to stay discreet. There is no longer any abnormal network traffic detectable, which makes attack detection more difficult.
- Finally, the hacker launches a brute-force attack to attempt to crack the password hash of the SPN. If successful, they obtain the plaintext password of the service account, which gives them access to all resources that account is allowed to access.
Advantages for Adversaries
Kerberoasting is a complex attack technique, but many readily available online tools let you identify accounts with an SPN and then crack the obtained tickets. This method offers several advantages to cybercriminals:
- Any user account can be used to request a ticket from the Active Directory. A single ordinary user account can therefore be enough to launch the attack.
- The password hash is then attacked offline, allowing the hacker to perform unlimited attempts without the risk of detection. Tools like John the Ripper or Hashcat are commonly used for this purpose.
- Kerberoasting does not rely on installing malware. Consequently, traditional antivirus or EDR solutions are typically ineffective against this type of attack.
How to Protect Your Active Directory
It’s easy to see why this technique attracts attackers. But with the right practices, you can defend against it effectively:
- Strengthen passwords for SPN-enabled accounts: Each account exposed via an SPN should be protected with a long, complex, random, and non-reused password. A password over 25 characters significantly reduces the chances of a Kerberoasting attack succeeding.
- Use AES encryption for service tickets: AES-based encryption is far more resistant than the older RC4 standard. Configure your domain controllers to prefer AES and, if possible, disable RC4.
- Reduce SPN footprint: Audit the accounts that have an SPN. Remove or consolidate unnecessary accounts. The goal is to limit the number of sensitive accounts to protect. You can also use group Managed Service Accounts (gMSAs), which automate password management for greater security.
- Control privileges: Limit each account to the minimum rights required. Avoid adding service accounts to groups with elevated privileges. Implementing a tiered administration model helps contain consequences in case of a compromise.
- Monitor Kerberos traffic for anomalies: Detect early signs of a Kerberoasting attack. For example, a well-configured SIEM can flag anomalies such as a sudden rise in TGS requests for the same SPN, often a reconnaissance phase.
Analyze Your AD for Obsolete Accounts
Specops Password Auditor is a read-only tool that proactively analyzes weak, reused, and compromised passwords across your Active Directory environment. It helps audit the security of domain service accounts’ passwords, while also providing visibility into service accounts with administrator rights. Your exportable report gives you a comprehensive view of obsolete (inactive) accounts in your organization, which are often used as entry points in Kerberoasting attacks. Download your free tool here.
Prevent Kerberoasting Attacks
Kerberoasting is a complex attack that unfolds in several steps. One thing is certain, however: password security sits at the heart of your defense. This rests on two essential pillars. First, before a hacker can request a service ticket tied to an SPN account, they must first gain access to another user account they can manipulate. They rely on well-known methods such as phishing or malware.
Multifactor authentication (MFA) is also essential to protect accounts against this threat, since passwords are central. By ensuring your passwords meet the strictest security requirements, you can protect your organization and its people from the very first stage of a Kerberoasting attack.
Secondly, there is the attack itself. As noted, Kerberoasting relies on brute-force techniques. These become largely ineffective against long, unique passwords of 25 characters or more. By ensuring that all SPN-related accounts are protected by such passwords, you take a major step toward securing your Active Directory.
Specops Password Policy helps block weak passwords and enforce the creation of robust and unique passphrases. In addition, it continually analyzes your AD using a constantly evolving list containing more than 4 billion compromised passwords and alerts users if their password appears in it. Want to know how this can fit into your environment? Contact us for a demonstration.
