History of Kerberoasting
Kerberoasting is an attack that was discovered by Tim Medin in 2014, it allows a normal user in a Microsoft Windows Active Directory environment to be able to retrieve the hash for a service account in the same Active Directory environment. If the user is lucky and the service account is configured with a “weak” password, then the user can leverage password cracking techniques to retrieve the clear text password from the hash that was obtained from the Kerberoast Attack.
Watch the live hacking demonstration on YouTube:
What Is Kerberos?
You may be saying “well ok, but what is Kerberos, and how does this all work.” Well to answer the first part of the question, Kerberos is the name of an authentication protocol used in Windows networks to let users access resources (files, servers, drives, services). To answer the second part of the question we need to go and visit a carnival. In this case, I am not talking about The Carnival of Brazil but the carnivals that pop up across America around the 4th of July (when there is not a global pandemic).
For the carnival in my hometown, you first have the enter the carnival area, which was blocked off by a colorful fence that went the whole way around the carnival. The only way to get in was to go to the main gate, walk through security where they would put a wrist strap on you, and then finally let you enter. This got you in, but you could not do much yet. If you wanted to ride the rides after you entered, you had to go to the ticket booth, buy the tickets you needed for the ride and then go to the ride you wanted. You would wait in line and once it was your turn, they would make sure you could ride (i.e. were the right height, old enough) and then take your tickets. This would allow you to ride the ride for only that time and not unlimited rides for the day, so if you want to ride again or ride a different ride, you need to go back to the ticket booth and go through the process again.
How It Works
What does all of that have to do with Kerberos? Let me explain. When you first boot your computer and enter your credentials to logon to your corporate network some behind-the-scenes things happen. First, your computer goes up and requests a “wrist band” AKA “ticket granting ticket” from the domain controller to enter the realm AKA “the carnival”. But let’s say you want to ride a ride or in this case access a file share server with your work files on it. To do this your computer takes its wrist band (ticket granting ticket) and goes up to the ticket booth (which is usually also the domain controller but in Kerberos it is known as the ticket granting server) and the ticket booth will give you the encrypted session information and a ticket to access the service you requested. Finally, the user (or your computer) takes the service ticket (aka our ride ticket) it just received and sends it to the file server (aka our carnival ride) if the user has permission (in the carnival case, the user is tall enough to ride) then the file server will allow the user access to its appropriate files on its share.
Finding the ‘Roast’
So now that we got that out of the way, where is the attack? Where is the roast of the kerberoast? Well, unlike a normal carnival where the tickets simply has “1 ticket” printed on the front and back, the tickets in our Kerberos process have information printed on them, in some cases lots and lots of information printed on them. In this case, the service ticket that we got from our “ticket booth” comes back to us with the fully qualified domain name of the service account on it, but it is also encrypted with the server account’s password hash. This password hash is needed for the Kerberos process to finish. It can be abused by attackers who take this password hash and use a program like Jon the Ripper or Hashcat to do offline password cracking. This allows attackers to guess up to 1 million possible passwords per second, so you better hope your service accounts have a good one set. The problem is many service accounts were set up ages ago and never have their passwords expire, for important reasons, so they are not up to current standards.
This, of course, is just a high-level overview of kerberoasting, there are a lot more details to this attack that are not covered here. If you want to read the details, I recommend looking at some of the following posts.
If you would like to know if you are vulnerable to this type of attack, give us a call and we can help you identify this risk and others with a penetration test.
Written by: Brian Halbach