Active Directory Attacks with Kerberoasting
Kerberoasting is a method to steal encrypted Kerberos tickets from valid service accounts in Active Directory to then crack them and obtain the clear text password of service accounts. Originally discovered by Tim Medin of Red Siege, Kerberoasting is a subtechnique of Stealing Kerberos Tickets and tracked in MITRE ATT&CK as T1558.003. In this post, Tim Medin explains how Kerberoasting works during Unicon and also releases a Kerberoast module in the SCYTHE Marketplace to enable SCYTHE operators to seamlessly Kerberoast from within SCYTHE.
What is Kerberoasting?
Kerberoasting leverages how Active Directory and Kerberos function. This is an example of “it’s not a vulnerability, it is a feature”. In particular Kerberoasting leverages how Service Principal Names obtain credentials from Active Directory service accounts. Service Principal Names (SPNs) are used to identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account. Any domain user can request a service ticket from the domain controller. Portions of the ticket are encrypted with RC4, including the credentials, and therefore can be cracked offline:
- Discovered by Tim Medin of Red Siege
- Any domain user can request a service ticket
- A portion of the ticket is encrypted using the service’s password hash
- Account to service mapping information can be obtained by requesting a list of Service Principal Names (SPN) from Active Directory
- No need to interact with the service
- Service does not need to exist, just account
- Effective for old, defunct service accounts
- Many old service accounts have passwords that never expire
- SCYTHE Kerberoast module can be used to extract the requested tickets
- Hashes are crackable via Hashcat
Who better to explain Kerberoasting than Tim Medin at our user conference, UniCon.
For more on Kerberoasting, check out the original slide deck presented by Tim upon original discovery and release at SANS HackFest.
Kerberoast in SCYTHE Marketplace
- Load the Python3 runtime module
- Load the Kerberoast module
- Add Custom Actions based on what the operator would like to do:
- redsiege.kerberoast -discover
- redsiege.kerberoast -display
- Run the output through a password cracker like Hashcat.
As mentioned, any SCYTHE customer can be onboarded to the SCYTHE Marketplace to download the Kerberoast or any other module. Installation is a simple upload and you will have expanded your Active Directory testing capabilities for your campaigns.
Defending against Kerberoasting
This is one of those times where we have to say “it isn’t a vulnerability, it is a feature”. Requesting Service Principal Names is just how the Kerberos protocol works to authenticate. Therefore, the preventive methods focus solely on the encryption type and length of the password. If the password cannot be cracked, you should be safe from this attack. There are methods to detect when someone is requesting a bunch of SPNs. Tim Medin and Red Siege recently published this post on various other methods to catch adversaries performing Kerberoasting.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.