close
close

Understanding Kerberoasting: How to Identify and Protect Vulnerable Accounts

Posted on by angelo
Understanding Kerberoasting: How to Identify and Protect Vulnerable Accounts

Understanding Kerberoasting: How to Identify and Protect Vulnerable Accounts

Kerberoasting is a common attack technique used by adversaries to extract and crack service account passwords in a Windows environment. This attack targets accounts with a Service Principal Name (SPN), which are typically service accounts used by applications to authenticate to other services in an Active Directory (AD) environment. Once the attacker has obtained the service ticket, they can attempt to crack it offline using tools like John the Ripper or Hashcat. If successful, the attacker gains access to the service account, potentially leading to a broader network compromise.

How Kerberoasting Works

  1. Enumeration of Service Accounts with SPNs: The attacker queries Active Directory to find accounts with SPNs, which are typically service accounts.
  2. Requesting Service Tickets: The attacker requests a service ticket for each SPN-enabled account. The ticket is encrypted with the account’s NTLM hash.
  3. Cracking the Ticket: The attacker then extracts the ticket and attempts to crack it offline to recover the plaintext password.

For a detailed step-by-step explanation of how Kerberoasting works, you can refer to this guide on Kerberoasting.

Identifying Vulnerable Accounts with PowerShell

To proactively protect your environment against Kerberoasting, it’s essential to identify all accounts that have SPNs set. You can easily do this using PowerShell. The following command lists all potentially affected accounts, including details like when their password was last set and when they last logged on:

Get-ADUser -Filter {ServicePrincipalName -ne "$null" -and Enabled -eq $true} -Property ServicePrincipalName, PasswordLastSet, LastLogonDate, Enabled | Select-Object SamAccountName, ServicePrincipalName, PasswordLastSet, LastLogonDate

This command retrieves:

  • SamAccountName: The username of the account.
  • ServicePrincipalName: The SPNs associated with the account.
  • PasswordLastSet: When the password was last changed.
  • LastLogonDate: The last time the account was used to log in.
  • Enabled: Whether the account is currently active.

By reviewing this information, you can identify accounts that might be at risk and take appropriate action.

Best Practices to Mitigate Kerberoasting

  1. Use Strong, Complex Passwords: Ensure that service accounts have strong, complex passwords that are difficult to crack, around 25 digits.
  2. Regularly Rotate Service Account Passwords: Regular password changes make it more difficult for attackers to successfully crack a service ticket before the password is changed.
  3. Monitor for Unusual Activity: Use SIEM solutions to monitor for unusual Kerberos ticket requests, especially those targeting service accounts.
  4. Limit Account Privileges: Ensure that service accounts have the minimum required privileges and consider using Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs), which automatically manage and rotate their passwords.
  5. Disable Unnecessary SPNs: Regularly audit SPNs and remove those that are no longer needed. This reduces the attack surface.
  6. Use Modern Encryption: Where possible, avoid using legacy encryption methods like RC4 and move to stronger algorithms like AES.

By following these best practices and regularly auditing your Active Directory for potentially vulnerable accounts, you can significantly reduce the risk of a successful Kerberoasting attack in your environment.

Understanding Kerberoasting: How to Identify and Protect Vulnerable Accounts was originally published in OSINT Team on Medium, where people are continuing the conversation by highlighting and responding to this story.