Notifications
Clear all
Topic starter 16/08/2025 8:11 pm
a well-known attack technique that targets the Kerberos authentication protocol in Windows environments. Here’s a clear explanation:
🔥 What Is Kerberoasting?
Kerberoasting is a post-exploitation attack where an attacker extracts service tickets from memory and attempts to crack them offline to retrieve the plaintext password of a service account.
It exploits the way Kerberos handles Service Principal Names (SPNs) and Ticket Granting Service (TGS) tickets.
🛠️ How It Works
- Attacker gains access to a domain-joined machine (often as a regular user).
- They use tools like Rubeus, Impacket, or Mimikatz to request service tickets for SPNs.
- These tickets are encrypted with the NTLM hash of the service account.
- The attacker extracts the ticket and cracks it offline using brute-force or dictionary attacks.
- Once cracked, they obtain the service account password, which may have elevated privileges.
⚠️ Why It’s Dangerous
- No need for elevated privileges to start the attack.
- Offline cracking avoids detection by domain controllers.
- Service accounts often have weak passwords and high privileges.
- Can lead to lateral movement and privilege escalation.
🛡️ How to Defend Against Kerberoasting
| Defense Strategy | Description |
|---|---|
| 🔐 Use Strong Passwords | Ensure service accounts have long, complex passwords. |
| 🧼 Clean Up SPNs | Remove unnecessary or unused SPNs to reduce attack surface. |
| 🧾 Monitor TGS Requests | Use SIEM tools to detect unusual volume or patterns of TGS requests. |
| 🧍♂️ Limit Service Account Privileges | Apply least privilege and avoid using domain admin rights. |
| 🔄 Rotate Passwords Regularly | Especially for high-value service accounts. |
| 🧰 Use Managed Service Accounts | These automatically rotate passwords and reduce exposure. |
