Kerberoasting Attacks Explained: Definition, How They Work and Mitigation Techniques

In 2014, researcher Tim Medin, a senior SANS instructor and content developer, took the Infosec milieu by surprise when he disclosed Kerberoast. This manifold implementation or process of brute forcing credential hashes within the Windows Active Directory ecosystem would soon become the de facto attack vector against the Kerberos protocol, leveraging certain exploitable authentication and encryption mechanisms of the popular MIT-born technology while embroiling the Redmond giant in a cascade of existential threats for years to come. Owing to this, it would take the effort of the entire cybersecurity community to later arrive at a suitable arrangement of detection and mitigation opportunities. As pervasive as it was, Kerberoast actually embodied only a handful of operating principles which allowed non-privileged domain users to get their hands on so-called service accounts, an alluring proposition that was usually met with a favorable outcome in the case of service accounts having weak passwords. Needless to say, the formalism known as Kerberoasting, as early adopters coined the new technique, was quickly charged with being an accessory to a growing number of post-exploitation scenarios that plagued modern enterprises from all across the globe. In this blog post, we will explore the Kerberoasting affair in light of its salient features; taking a quick dive into some of its more creative touches and periodizing important ideas as they pertain to the privilege escalation and lateral movement aspects of the cyber kill chain, as well as to its contribution to the ever-growing list of network threats. We'll begin our journey by revisiting Kerberos, examining its pitfalls and going into some detail as to why the former crypto apparatus exposed critical vulnerabilities that led to the extraction of such sensitive data with such little relative effort. Let's begin. Kerberos revisited Distributed computing systems in the late 80s presented unique challenges against the authentication backdrop in which one endpoint entity was required to prove its trust worthiness to another, preferably in a single sign-on fashion that could take advantage of a centralized management infrastructure according to the technology of the day. In this context, Kerberos quickly emerged as an arbitrator protocol between client and server that leveraged cryptographic tickets as the accepted authentication exchange mechanism between trusted hosts to achieve controlled access to services and applications. Over the years, Kerberos spanned five different models or versions that encompassed several subprotocols rolled into three different components: a trusted third party, also called a key distribution center or KDC, with a database of principals (user and service accounts) and their corresponding shared secrets to perform authentication with; a client, or privileged user, who negotiates authentication within a specific realm by issuing a request to the ticket-granting service (TG-S) for a special ticket (TG-T or ticket granting ticket) that is used to derive the necessary credentials to gain access to a specific resource; and a service, or application server, hosting data or the resource in question that is being requested by the client. Kerberos excelled in cross-realm scenarios where organizational boundaries required authentication across different network segments. Organized in a hierarchical manner, these inter-realm capabilities are the main driving force behind Microsoft's Active Directory and the way in which this proprietary implementation of Kerberos version 5 establishes user control and authentication. This represented a vast improvement over previous Ntlm-based approaches, including the adoption of symmetric cryptographic primitives and "salting" in lieu of password hashing, or the aforementioned mutual authentication and delegation feature options required by multi-tier applications. Kerberos is also classified as an open standard, which technically...

Om Podcasten

Listen to all the articles we release on our blog while commuting, while working or in bed.