Kerberoasting is a method to steal encrypted Kerberos tickets from valid service accounts in Active Directory to then crack them and obtain the clear text password of service accounts. Originally discovered by Tim Medin of Red Siege, Kerberoasting is a subtechnique of Stealing Kerberos Tickets and tracked in MITRE ATT&CK as T1558.003. In this post, Tim Medin explains how Kerberoasting works during Unicon and also releases a Kerberoast module in the SCYTHE Marketplace to enable SCYTHE operators to seamlessly Kerberoast from within SCYTHE.
Kerberoasting leverages how Active Directory and Kerberos function. This is an example of “it’s not a vulnerability, it is a feature”. In particular Kerberoasting leverages how Service Principal Names obtain credentials from Active Directory service accounts. Service Principal Names (SPNs) are used to identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account. Any domain user can request a service ticket from the domain controller. Portions of the ticket are encrypted with RC4, including the credentials, and therefore can be cracked offline:
Who better to explain Kerberoasting than Tim Medin at our user conference, UniCon.
For more on Kerberoasting, check out the original slide deck presented by Tim upon original discovery and release at SANS HackFest.
SCYTHE users can visit the SCYTHE Marketplace to download and install the Kerberoast module. Once installed, create a new campaign and select:
As mentioned, any SCYTHE customer can be onboarded to the SCYTHE Marketplace to download the Kerberoast or any other module. Installation is a simple upload and you will have expanded your Active Directory testing capabilities for your campaigns.
This is one of those times where we have to say “it isn’t a vulnerability, it is a feature”. Requesting Service Principal Names is just how the Kerberos protocol works to authenticate. Therefore, the preventive methods focus solely on the encryption type and length of the password. If the password cannot be cracked, you should be safe from this attack. There are methods to detect when someone is requesting a bunch of SPNs. Tim Medin and Red Siege recently published this post on various other methods to catch adversaries performing Kerberoasting.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.