Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a Windows Active Directory environment.
Understanding SPN Accounts: SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc.
Kerberoasting Attack: Prerequisite: Knowledge of the SPN account. Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account’s New Technology LAN Manager (NTLM) hash. The attacker captures this ticket and attempts to crack the hash offline. Objective: To obtain the plaintext password of the service account, which can then be used for lateral movement or privilege escalation.
How the Kerberoasting Attack Works
Initial Compromise: The attacker gains a foothold in the network with any valid domain user account (even a low-privileged one) via phishing, malware, or other means. SPN Enumeration: The attacker scans Active Directory for user accounts with a Service Principal Name (SPN). SPNs are service identifiers used for authentication (e.g., SQL, Exchange). TGS Ticket Request: Using the compromised account, the attacker requests a Kerberos Ticket Granting Service (TGS) ticket for the target service account. The Active Directory Domain Controller (KDC) issues this ticket encrypted with the hash of the service account’s password. Ticket Extraction: The attacker captures the TGS ticket from memory using tools like Mimikatz or Rubeus. Offline Cracking: The attacker takes the ticket offline and uses brute-force/dictionary tools (e.g., Hashcat, John the Ripper) to crack the encryption. Privilege Escalation: Once the plaintext password is recovered, the attacker can impersonate the service account, which often has high-level permissions (e.g., Domain Admin) #attack credentials postexploitation