Within an Active Directory environments there are standard users and service users, the latter are more commonly known as service principal names or SPN’s for short. Kerberoasting is a post-exploitation attack in which an authenticated user is able to extract the NTLMv2 password hash for an SPN account to gain further privileges within the domain.
On any domain environment it is common to come across SPN’s, these will often be running services such as a database or web server, some example applications would be MSSQL (database) or ISS (web server).
How does kerberoasting work
Kerberoasting occurs when a domain user requests a service ticket from the ticket granting service, when the ticket is received it will be encrypted with the hash of the service account password. Using a number of popular tools attackers are able to extract just the hash and then get to work cracking this after which they would be able to authenticate to the domain as that service.
Protecting against kerberoasting
- Similar to many attacks if a secure password policy has been implemented then any attempts to crack the extracted password hash would be unsuccessful preventing any lateral movement as the service account, an example of this would be requiring all passwords to be over 10 characters, contain upper and lower case characters along with symbols.
- Having a password policy which requires domain users to reset their password periodically can help limit the attackers foothold on the domain and possibly prevent any future access or kerberoasting attempts.
- Monitoring domain systems for applications which are commonly used for kerberoasting can help identify user accounts which have been compromised along with limiting any in progress attacks.
