What is Kerberosting

What is Kerberoasting ?

The general concept of Kerberoasting is requesting service tickets (TGS) from the KDC (Kerberos Domain Controller) that are associated with service accounts to retrieve their hashes. Then, attempt to crack them offline with tools like Hashcat or John to recover the cleartext passwords to either escalate privileges vertically to become a local administrator or horizontally to access a set of different resources that can be used for pivoting within the network.

The service accounts can be linked to hosts like computers (CN=Computers) or domain users (CN=Users). Each service account can be mapped to a set of running services like MSSQL, Web, SharePoint, File shares, Exchange services, etc., within the domain known as Service Principal Names (SPNs).

*Service Principal Name maps the host/user service accounts to running services.

Kerberos in a nutshell :

  1. When a user logs on to Active Directory, the user authenticates to the Domain Controller (DC) using the user’s password which of course the DC knows.
  2. The DC sends the user a Ticket Granting Ticket (TGT) Kerberos ticket. The TGT is presented to any DC to prove authentication for Kerberos service tickets.
  3. The user opens up Skype which causes the user’s workstation to lookup the Service Principal Name (SPN) for the user’s Exchange server.
  4. Once the SPN is identified, the computer communicates with a DC again and presents the user’s TGT as well as the SPN for the resource to which the user needs to communicate.
  5. The DC replies with the Ticket Granting Service (TGS) Kerberos service ticket.
  6. The user’s workstation presents the TGS to the Exchange server for access.
  7. Skype connects successfully.

How to do it ?

Once you have admin/standard user access, look for the supported SPNs and get TGS ticket for the SPN using GetUserSPNs tool from Impacket.

TGS ticket dump from Attacker’s PC

Mitigations:

  • If possible use group managed service accounts which have random, complex passwords (>100 characters) and are managed automatically by Active Directory.
  • Ensure all service accounts (user accounts with Service Principal Names) have long, complex passwords greater than 25 characters, preferably 30 or more. This makes cracking these password far more difficult.
  • Service Accounts with elevated AD permissions should be the focus on ensuring they have long, complex passwords.
  • Ensure all Service Account passwords are changed regularly
Share the Post...
WhatsApp

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Recent Posts

Follow Us on Youtube

Cyber Security Training Program 2020

Cyber security Course offered by Cybervie prepares students for a path of success in a highly demanding and rapidly growing field of cyber security. The course is completely designed with an adaptable mindset, where the program allows the student to complete the course work at their own pace while being able to complete weekly assignments. Hence, also making it convenient for busy working professionals to pursue the training to help them advance their career in cyber security.

Cybervie has designed the training module based on the cyber security industry requirements in both offensive and defensive manner, using real time scenarios which help our students to understand the market standards.

Sign up for our Newsletter

Interested in Cyber Security Training Program 2020 – Click Here

Open chat
1
Hello 👋
How can we help you?