Kerberoasting is an attack targeting service accounts within Active Directory by exploiting Service Principal Names (SPNs). In this attack, an adversary requests Kerberos service tickets, extracts the encrypted credential data, and then attempts to crack the ticket offline to recover the plaintext password.
Identify SPNs:
The attacker searches for service accounts with associated SPNs. These SPNs uniquely identify network services (e.g., SQL Server, Exchange).
Example Command (PowerShell):
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Ticket Request:
For each identified SPN, the attacker requests a Kerberos service ticket from the Ticket Granting Service (TGS). The issued ticket is encrypted using the service account’s password hash.
User with SPN found
Ticket Extraction:
Tools such as Rubeus or Mimikatz are used to extract the service ticket from the target system’s memory.
Example Command (Rubeus):
Rubeus.exe kerberoast
Offline Cracking:
The attacker extracts the encrypted hash from the ticket and employs offline cracking tools like Hashcat to retrieve the plaintext password.
Privilege Escalation:
Cracking a service account’s password may allow an attacker to gain high-level privileges, especially if the account is misconfigured with excessive rights.
Lateral Movement:
With the compromised service account credentials, attackers can move laterally within the network to access additional systems and data.
Persistence:
Weak or long-lived passwords increase the risk of ongoing unauthorized access to critical resources.