What is a Kerberoasting Attack?

What is the Kerberos protocol?

The Kerberos protocol is a computer network authentication protocol that uses tickets to enable nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It consists of three main components: the client, the server, and the Key Distribution Center (KDC). The primary goal of Kerberos is to eliminate the need to send passwords over the network, thereby protecting credentials from eavesdropping and replay attacks.

Kerberos uses symmetric key cryptography and requires a trusted third party to vouch for the identities of clients and servers. When a user logs in, they receive a ticket-granting ticket (TGT) from the KDC, which is used to obtain service tickets for specific resources. These tickets ensure that passwords are never transmitted over the network after the initial authentication, significantly reducing the risk of credential theft.

How Does Kerberoasting Work?

A Kerberoasting attack typically involves a series of steps that an attacker follows to compromise service accounts within a network. These steps include:

1) Compromising a user account.

The attack begins with the attacker obtaining access to a standard user account within the target network. This can be achieved through various methods such as phishing, exploiting vulnerabilities, or using previously stolen credentials. With access to a legitimate user account, the attacker can interact with the domain’s Kerberos authentication infrastructure.

2) Identifying high-value targets.

Once inside the network, the attacker identifies service accounts with elevated privileges that they wish to target. These accounts often have access to critical systems and data, making them valuable targets. The attacker uses various reconnaissance techniques to find these accounts, such as querying the domain controller for service principal names (SPNs) associated with these accounts.

3) Extracting tickets.

The attacker then requests service tickets (TGS tickets) for the identified high-value service accounts. These tickets, which are encrypted with the service account’s password hash, are legitimate responses from the Kerberos Key Distribution Center (KDC) and provide the attacker with the necessary data to proceed to the next step.

4) Cracking passwords.

With the TGS tickets in hand, the attacker extracts the encrypted portion that contains the service account’s NTLM hash. They then use offline techniques to crack this hash. This typically involves using specialized software to perform brute force or dictionary attacks to uncover the plaintext password.

5) Using the compromised passwords.

Once the attacker successfully cracks the password, they can use the credentials to access the service account and its associated resources. This access can lead to further exploitation, privilege escalation, and lateral movement within the network.

Why Are Kerberoasting Attacks So Common?

Kerberoasting attacks are relatively common due to several factors inherent in the Kerberos authentication protocol and the typical configurations of enterprise environments. One primary reason is the reliance on service accounts with elevated privileges. These accounts often use weak or reused passwords, making them attractive targets for attackers. When service accounts are compromised, they can grant an attacker extensive access to critical systems and data.

Another contributing factor is the fact that Kerberos service tickets (TGS tickets) are relatively easy to obtain once an attacker has compromised a user account. Attackers can request TGS tickets for high-value targets such as service accounts without raising significant suspicion. The tickets contain encrypted data that includes the service account’s NTLM hash, which attackers can then attempt to crack offline using various techniques. The offline nature of the attack allows attackers to work undetected over an extended period, increasing their chances of success.

In addition, many organizations lack sufficient monitoring and detection capabilities to identify and effectively respond to Kerberoasting attempts. The attack leverages legitimate Kerberos functionality, which can make it challenging to distinguish malicious activity from normal operations.

What Are Some Real-World Examples Of Kerberoasting Attacks?

Kerberoasting has been observed in several high-profile cyber incidents, often forming a critical part of larger attack campaigns. One example involves the attack on the U.S. Office of Personnel Management (OPM) in 2014. Attackers used Kerberoasting as part of their strategy to gain access to sensitive data, including personal records of millions of current and former federal employees. The attackers leveraged compromised user accounts to request service tickets, which they then cracked offline to obtain elevated credentials.

Another significant example is the attack on Norsk Hydro, a major Norwegian aluminum producer, in 2019. The attackers used Kerberoasting techniques to compromise service accounts within the company’s Active Directory environment. This allowed them to escalate privileges and move laterally across the network, and then deploy ransomware that disrupted the company’s operations.

In addition to these high-profile cases, Kerberoasting is frequently employed in more targeted and less publicized attacks.

How Can An Organization Prevent Kerberoasting Attacks?

To implement identity protection and mitigate the risk of Kerberoasting attacks, organizations can implement a combination of solutions, policies, and best practices aimed at strengthening their security posture.

1) Deploying an Identity and Access Management (IAM) solution

IAM helps ensure that only authorized users have access to specific resources by enforcing strong authentication mechanisms, such as multi-factor authentication (MFA), and regularly auditing access controls. By verifying user identities more rigorously, IAM reduces the likelihood of compromised credentials being used in Kerberoasting attacks.

2) Implementing Privileged Access Management (PAM)

PAM solutions focus on securing, managing, and monitoring privileged accounts, which are often targeted in Kerberoasting attacks. By enforcing strict policies such as rotating privileged account passwords, using temporary access instead of permanent credentials, and implementing session monitoring, PAM significantly minimizes the attack surface and the potential impact of a compromised service account.

3) Applying the Principle of Least Privilege

Organizations should adhere to the Principle of Least Privilege, ensuring that users and accounts only have the minimum necessary permissions to perform their tasks. This reduces the number of high-value targets available to attackers and limits the damage if an account is compromised. Regularly reviewing and adjusting access permissions based on role changes is essential to maintaining this principle.

4) Monitoring Kerberos authentication activity

Monitoring Kerberos authentication activity is crucial for early detection of suspicious behavior that may be indicative of a Kerberoasting attack. Organizations should use SIEM tools to analyze authentication logs for anomalies, such as unusual ticket requests or access patterns.

5) Deploying honeytokens

Honeytokens are deception service accounts designed to lure attackers. Honeytokens act as tripwires to detect attacker activity. An alert generated by a honeytoken is a high-fidelity indicator of an attacker’s presence in the network. Preconfigured response actions can be triggered in response to such an alert.

How Does Acalvio Empower Enterprises To Defend Against Kerberoasting Attacks?

Deception technology powered by Acalvio is a very effective method of detecting and responding to Kerberoasting attacks. Identity deceptions provided by Acalvio mimic actual user and service accounts in identity repositories. These deceptions are designed to blend with real identities in identity repositories. At the same time, these deceptions are given properties that make them attractive to attackers. For example, deceptions that mimic Kerberoastable service accounts can lure an attacker and provide an early and high-fidelity alert to the SOC team about the Kerberoasting attack attempt. These deceptions also serve to deflect the attacker away from actual service accounts used in the organization.

Acalvio provides Defense in Depth by strengthening an organization’s defenses, such as IAM and PAM, against identity attacks. Acalvio integrates with security solutions, such as EDR, SIEM, and SOAR, to act against active and latent threats in the network. When an attempt to use an identity deception is detected, in addition to sending notifications to the SOC team, response actions configured in Acalvio are carried out against the threat.

FAQs