Active Directory Security - Kerberoasting

Kerberoasting

This is an attack where it targets service accounts on an Active Directory(AD) Domain.

This entails abusing the Kerberos protocol to get hashes for user accounts with Service Principal Name (SPN), also known as Service Accounts.

This is an extremely powerful attack vector as it can carried out by any user. An Attacker could use a compromised user's account to request a ticket granting ticket(TGS) for any SPN, and obtain hash for a service account and crack it offline using tools such as Hashcat or John The Ripper. 

Due the nature of this attack it can be very hard to detect. You would have to detect it by monitoring the event log for anomalies for TGS requests. To help detect if you being attacked, you could make a honeypot Service Account( A Service Account that is not actually used), to see if anyone is requesting a TGT for that account.

If an Attacker is able to get access to the Kerberos Service Account(KRBTGT), an Attacker will be able to obtain golden tickets and have unrestricted access to the domain.

Prevention

Prevention is better than the cure. This can be accomplished by using a few ways:

• Limit Privileges of Service Accounts, Service Accounts should not be apart of domain Admin group
• Use extremely long and complex passwords, I would suggest above 30 Characters and change them routinely. Password hashes are cracked by using long list of passwords i.e rockyou.txt.
• Use a AES encryption where possible, RC4 is the default for Service Accounts.
• Use Group Managed Service Accounts(GMSA), this provides automatic password management of service accounts

Conclusion

Kerberoasting is a dangerous exploit that can make can easily be utilized by an attacker to escalate their privilege's. Every time I am testing a machine in an Active Directory environment, I will try Kerberoasting every service account I can find.