Active Directory, What Is Kerberoasting

Within an Active Directory environments there are standard users and service users, the latter are more commonly known as service principal names or SPN’s for short. Kerberoasting is a post-exploitation attack in which an authenticated user is able to extract the NTLMv2 password hash for an SPN account to gain further privileges within the domain.

On any domain environment it is common to come across SPN’s, these will often be running services such as a database or web server, some example applications would be MSSQL (database) or ISS (web server).

How does kerberoasting work

Kerberoasting occurs when a domain user requests a service ticket from the ticket granting service, when the ticket is received it will be encrypted with the hash of the service account password. Using a number of popular tools attackers are able to extract just the hash and then get to work cracking this after which they would be able to authenticate to the domain as that service.

Protecting against kerberoasting

Spread the love