Kerberoasting

How does Kerberos work?

The Kerberos authentication process involves a series of steps to verify the identity of users or services requesting access to a network. It includes ticket requests, validation, and the secure exchange of keys to ensure the integrity of the communication.

Kerberos distributes keys using a trusted third-party entity known as the Key Distribution Center (KDC). The KDC securely shares session keys between the client and the server, preventing unauthorized entities from gaining access.

Golden Ticket attacks

A Kerberos Golden Ticket is a powerful and potentially malicious artifact that can be generated by exploiting vulnerabilities in the Kerberos authentication system. In the context of cybersecurity, a Golden Ticket refers to a forged Ticket Granting Ticket (TGT) that grants an attacker long-term and unrestricted access to a network.

Using either a Forged Ticket Granting Ticket (TGT / Golden ticket) or a compromised account, the attacker can request access to a service (SPN) on the network. This service I associated with a high privilege service account, for example a SQL service account. The Key Distribution Centre (KDC) will issue a service ticket, which is encrypted with the public key of the Service Accounts password. The attacker can then convert this service ticket to a hash which can be exported to Hashcat or John The Ripper and then proceed to crack the password offline. This attack is reliant on poor password hygiene for service accounts, reuse of passwords across service accounts, non expiry of passwords for service accounts, and even non removal of old SPN entries in Active Directory.

Hunting for Kerberoasting

To hunt for potential evidence of Kerberoasting on your network, a good starting point is Vectra Recall’s Kerberoasting Dashboard. This dashboard monitors for tickets responses with weak ciphers (RC4) that can be potentially cracked offline. Typically, the usage of weak ciphers should be minimal within your enviornment, as with any example here it’s possible your environment might have a large number of Kerberos RC4 requests rendering this dashboard less effective.

When you look at this dashboard, you’ll see a top chart which shows all users of the weak RC4 cipher, this chart should hopefully be empty, as no one in your org is using this weak cipher, but it may also look like this. It’s safe to say that these Kerberos transactions are all from legitimate business cases, so you should look to hide these instances from the chart by clicking on the “–“ icon beside each IP in the legend.

After hiding the most commonly occurring servers, you should see a chart like the one below with a clear outlier that warrants investigation.

Click on this server IP and click on the “+” icon to focus only on this, and at the bottom of this dashboard, you’ll be able to quickly see the clients making requests to this server, and if a single client has made a large number of requests against it, you should pivot into other metadata sources such as LDAP and RPC to determine if any other suspicious activity was occurring around the given timeframe.

More information on our detections related to Kerberoasting:

> Kerberos Account Scan

> Kerberos Brute-Sweep

Protecting your network against kerberoasting requires a combination of strong password policies, vigilant monitoring, and ongoing education. Vectra AI provides advanced security solutions that can help detect suspicious activities indicative of kerberoasting and other credential theft techniques. Contact us to strengthen your defenses and ensure the integrity of your authentication protocols and service accounts.