Kerberoasting is an attack method that allows a hacker to steal Kerberos Service Account credentials and crack the password offline, sensibly reducing the risk of being detected.
To understand how Kerberoasting attacks work, it’s important to know something about the Kerberos. Let’s have a brief breakdown of how Kerberos works.
In short, when a user logs in, he receives a Ticket Granting Ticket (TGT) from the Key Distribution Center (Domain Controller in most cases). The TGT is signed by the Service Account krbtgt and gets treated as the user’s proof of identity. With the TGT, a user can request Service Tickets (TGS) for specific resources within the domain. Part of a TGS is encrypted with the NTLM Hash of the service account for the requested resource. Windows uses service principal names (SPNs) to identify which service account is being used to encrypt the TGS.
For a Kerberoasting attack to work, the SPN has to be linked with a domain user account. Suppose, an SPN is registered for a domain user account to run Microsoft SQL Server instances, then the NTLM Hash of that user’s password will be used. If a service account has a weak password, the attacker has a good chance of being able to crack it.
Each domain user can request a TGS from a Domain Controller for any service that has a registered SPN. When the TGS is created, the Domain Controller does not check whether the requesting user is allowed to access the respective resource. The task of verifying credentials is left up to the service. An attacker can use this ticket offline to crack the NTLM Hash of the service account.
Kerberoasting is an effective technique for hackers who have limited rights within a domain. Depending on the strength of the passwords, an attacker can quickly gain access to multiple accounts and then use them to launch additional attacks. It is impossible to prevent this attack. However, policies such as selecting strong passwords, creating a list of service accounts, checking when the password was last changed, as well as implementing a process for changing passwords regularly, are the only efficient ways to make it more difficult for attackers.