Active Directory (AD) remains a crucial backbone for enterprise IT environments, centralizing authentication and authorization for users and computers. However, Active Directory’s importance—coupled with its age and the technical debt it often accrues—makes it a primary target for cyberattacks. One common attack technique, called Kerberoasting, exploits the Kerberos authentication protocol and service principal names (SPNs). Here’s a closer look at how Kerberoasting works and how to defend against it.
What is Kerberoasting?
Kerberoasting is a sophisticated attack method that aims to extract service account credentials. Armed with these credentials, attackers can gain an alarming ability to extensively compromise your network.
The foundation of Kerberoasting is the ability of any authenticated user within an AD domain to request service tickets for any service. These tickets are encrypted using a hash of a service account linked to an SPN.
In a typical Kerberoasting attack:
The attacker enumerates service accounts and their associated SPNs. Attackers can use PowerShell commands to easily find all SPNs of specific types. One of the most useful SPN types that attackers look for is SQL.
After identifying the service accounts and SPNs, the attacker requests the Kerberos ticket for the SPNs, exporting the tickets for decryption.
The attacker then works offline to crack and decrypt the password hash for the tickets, often using offline brute force tools and techniques.
After cracking the ticket passwords, the attacker gains access to the accounts that are associated with the service tickets.
The attacker uses the compromised accounts to gain unauthorized access to sensitive information, to perform lateral movement, or to carry out other malicious activities.
Compromising one account often leads to the attacker gaining access to additional service tickets. The attacker then uses the same technique to gain access to more accounts.
What is Kerberos?
Kerberos is a network authentication protocol created to offer secure authentication for client-server applications, using secret-key cryptography. The protocol is the default authentication protocol in Active Directory and plays a crucial role in ensuring that users and services can trust one another in a network environment.
Kerberos uses tickets: cryptographic entities that authenticate users or services without repeatedly sending passwords across the network. These tickets serve as the backbone of the Kerberos authentication process.
There are several types of Kerberos tickets:
Ticket Granting Ticket (TGT): Issued after initial logon, this ticket authorizes the user to request service tickets.
Service ticket, also known as a Ticket Granting Service (TGS) ticket: This ticket allows users to access specific services.
Session ticket: After a service ticket is presented to and verified by the service, a session ticket is used to authenticate the client for the duration of the session.
These tickets carry important information about the user or service account, the computer on which the request was made, and more. The information in the tickets is encrypted and can be accessed only by the party that requested the ticket or granted the access.
What are service principal names (SPNs)?
An SPN is a unique identifier for a service instance, associating that service with a specific service account in Active Directory. Service accounts in Active Directory are vital as they often run critical applications and services.
When a user or a service wants to access another service, it references the relevant SPN to request the necessary service ticket, which the target service then validates. SPNs include (but are not limited to):
Web services: A web server like IIS might use an SPN such as HTTP/webserver.domain.com to authenticate with AD.
SQL services: Microsoft SQL Server instances register an SPN such as MSSQLSvc/servername.domain.com:1433 to enable Kerberos authentication.
File services: A file server can have an SPN such as HOST/fileserver.domain.com.
Custom applications: Enterprises often develop in-house applications that use AD for authentication. These applications might also register their SPNs.
What damage can Kerberoasting cause?
The risks posed by Kerberoasting are multifaceted. At its core, the attack leads to credential theft, putting sensitive service account credentials in the hands of adversaries.
What amplifies the threat is the permissions that service accounts might have. An attacker who cracks a high-privilege service account password can gain extensive access, opening doors to elevated privileges. Armed with these credentials, attackers can seamlessly move laterally within a network, accessing valuable data and resources.
Why is Kerberoasting such a popular attack?
Kerberoasting remains a common attack vector primarily because it can be challenging to identify and counteract.
Kerberos is engineered for both security and efficiency, but its strength hinges on the confidentiality of the encryption keys that secure tickets during the authentication phase. If attackers manage to acquire these encryption keys, they can decipher the tickets, giving them a gateway to privileged information and network assets.
Achieving a successful Kerberoasting exploit on a Kerberos-dependent enterprise network might grant the attacker access to an expansive array of confidential data and tools. This explains why attackers are willing to put a lot of effort into Kerberoasting attempts.
Attackers can also orchestrate Kerberoasting remotely, sidestepping direct engagement with the authentication server or target assets. This stealthy approach makes Kerberoasting difficult for cybersecurity teams to spot and thwart in its early stages.
How can you defend against Kerberoasting?
Mitigating the risks posed by Kerberoasting involves several steps:
Fortify service account passwords. Passwords should be unique, complex, and longer than 25 characters. They should be able to withstand brute force attacks, making it more difficult for attackers to crack the passwords associated with any service tickets they obtain. Change passwords at least once per year to help keep attackers at bay.
If the relevant service supports it, use group managed service accounts (gMSAs) that provide password management to eliminate the need to manually manage service account passwords and to ease administrative overhead.
Optimize Kerberos policy settings in the organization’s Group Policy (GPO). Use these settings to enforce user login restrictions, configure service ticket maximum lifetime, and configure maximum tolerance for computer clock synchronization.
Monitor Active Directory for anomalies such as abnormal or frequent service ticket requests. Such events might indicate a Kerberoasting attempt in progress.
Adopt the principle of least privilege for service accounts. By limiting rights and permissions, you can minimize potential damage if an account is compromised.
Another emerging defense against Kerberoasting is the deployment and monitoring of honey tokens. Essentially, these tokens are decoy accounts equipped with SPNs, left as bait for attackers. Because these accounts are fake and have no legitimate purpose, any activity surrounding them is a clear sign of malicious intent. With proper monitoring, they can alert your security team to a potential Kerberoasting attack, enabling you to defend against it and minimize any damage.
How Semperis can help you fight Kerberoasting
The evolving cyber-threat landscape demands tools that can keep pace. Advanced threat detection solutions like Semperis Directory Services Protector (DSP) can actively monitor, detect, and raise alerts for patterns consistent with Kerberoasting and other Active Directory–based attacks. Employing such tools amplifies your defense, making your AD environment more resilient against breaches.
Kerberoasting is a potent attack technique. However, you can effectively counter it with the right knowledge and tools. By understanding its mechanics, remaining vigilant, and deploying advanced security measures, enterprises can safeguard their Active Directory environments and the treasure trove of data to which they hold the keys.