In today’s guide, we’ll start our journey by reviewing Kerberos, examining its pitfalls, and going into detail about why the old crypto apparatus exposed critical vulnerabilities that led to the extraction of such sensitive data with so little relative effort.
Keep reading if you want to understand what is Kerberoasting and why it is possible, along with real-life examples and both detection & mitigation measures.
What is Kerberoasting?
The narrative around Kerberoasting is quite simple: A hacking technique that has stood the test of time for its ability to go almost unnoticed, leveraging a warped focus on mechanisms meant to protect the very data that Kerberoasting is covertly seeking to obtain.
Kerberoasting belongs to the post-exploitation, or post-compromise, phase of an attack that focuses on gaining greater access to additional targets through privilege escalation and similar lateral movement techniques.
Kerberoasting can be carried out through any number of tools and native OS applications as common as PowerShell, so registering and monitoring the use of these resources is essential for any cyber defense company to start having an opportunity in its against.
At a high level, Kerberoasting allows attackers, posing as non-privileged domain users with preset SPN attributes, to request service-related TGS tickets from memory in an attempt to decrypt the associated NTLM hashes of plaintext passwords. linked to that particular service account.
- As explained, the attack does not require any special privileges or administrative rights to the domain. Any domain-joined machine will do so to extract service account credential dumps, without any interaction with domain controllers or directory services.
- The impersonation aspect comes from an unlimited delegation ability by certain computer accounts to leverage other accounts to access resources on behalf of those users.
- The offline nature of the password cracking attack is an attractive proposition, especially when the extent of active defenses involved has yet to be determined or when stealth is required and covert action is a must.
Examples of Kerberoasting
At the heart of Kerberoasting is Microsoft’s legacy support for a form of Kerberos encryption that supports RC4, a stream cipher that is constantly weakening and highly sensitive to statistical bias.
These significantly reduce the strength of the password hashing algorithm used to protect principals in the Active Directory ecosystem.
Why is Kerberoasting Possible?
Kerberos quickly emerged as a client-server arbitrator protocol that leveraged cryptographic tickets as the accepted authentication exchange mechanism between trusted hosts to achieve controlled access to services and applications.
Over the years, Kerberos encompassed five different models or versions that encompassed various sub-protocols grouped into three different components:
- A trusted third party, also called a key distribution center or KDC, with a database of principals (user and service accounts) and their corresponding secret shared accounts to perform authentication.
- A client, or privileged user, that negotiates authentication within a specific scope by issuing a request to the ticket-granting service (TGS) for a special ticket (TGT or ticket-granting ticket) that is used to derive tickets. credentials required to gain access to a specific resource.
- Service, or application server, that hosts data or the resource in question that the client is requesting.
Who Created Kerberoasting?
In 2014, researcher Tim Medin, a senior SANS instructor and content developer, took the Infosec environment by surprise when he revealed Kerberoast.
This multiple implementation or brute force credential hashing process within the Windows Active Directory ecosystem would soon become the de facto attack vector against the Kerberos protocol.
Taking advantage of certain exploitable authentication and encryption mechanisms of popular technology born out of MIT while involving the Redmond giant in a cascade of existential threats for years to come.
Because of this, it would take the effort of the entire cybersecurity community to come up with a proper arrangement of detection and mitigation opportunities.
Needless to say, the formalism known as Kerberoasting was quickly accused of being an accessory to a growing number of post-exploitation scenarios that plagued modern businesses around the world.
Can you Prevent Kerberoasting? (Detection & Mitigation)
For many reasons, including a lack of proper password hygiene and similar sloppy domain conditions, Kerberoasting remains incredibly feasible throughout the enterprise world, which may leave many system owners and security professionals gasping as to why the issue occurred. attack.
However, in everyone’s defense, the attack remains as difficult to detect and mitigate as ever.
After all, Kerberoasting, as a general technique, was deeply embedded in the fabric of Kerberos before any attempt by Microsoft to come to terms with any of its pre-existing cryptographic flaws.
But in the meantime, we can certainly focus our efforts on some, if not all, of the following recommendations:
- Uses Kerberos FAST (Flexible Authentication Secure Tunnel) – If possible, protect pre-authenticated data by protecting authentication service (AS) exchanges with the KDC through a secure tunnel.
- Take advantage of group policies to eliminate the use of insecure protocols – The litmus test by which Kerberoasting becomes a decisive attack vector.
Using stronger symmetric key cipher suites like AES-256 to protect TGTs will go a long way in protecting your environment, but don’t disable RC4 across the board until you understand all the potential repercussions.
- Retire legacy systems (Windows Server 2003 and earlier) – Using older forms of Kerberos encryption as soon as possible.
It is a common mistake to ignore antiquated attack vectors such as Kerberoasting with the mindset that deficiencies in protocol design and implementation can be overcome by proper detections. Rather, Kerberoasting is still as relevant as it was when it first appeared; indeed, it is far from apart from its glory days, a testament to its subtle sophistication and validity.