What Is Kerberoasting, and Should You Be Worried About It?
Kerberos tickets make the internet safer by providing a means for computers and servers on a network to pass data without needing to verify their identities at every step. However, this role as a one-time, albeit temporary, authenticator makes the Kerberos tickets attractive to attackers who can crack their encryption.
What Are Kerberos Tickets?
If you think “Kerberos” sounds familiar, you’re right. It is the Greek name of Hades’ dog (otherwise known as “Cerberus”). But Kerberos is no lapdog; it has several heads and guards the gates of the underworld. Kerberos prevents the dead from leaving and stops distraught characters from springing their beloved ones from the grim afterlife. In that way, you can think of the dog as an authenticator that prevents unauthorized access.
Kerberos is a network authentication protocol that uses cryptographic keys for verifying communications between clients (personal computers) and servers on computer networks. Kerberos was created by the Massachusetts Institute of Technology (MIT) as a way for clients to prove their identity to servers when they make data requests. Likewise, servers use Kerberos tickets to prove that the data sent is authentic, from the intended source, and has not been corrupted.
Kerberos tickets are basically certificates issued to clients by a trusted third party (called a key distribution center—KDC for short). Clients present this certificate, along with a unique session key, to a server when it initiates a data request. Presenting and authenticating the ticket establishes trust between the client and server, so there’s no need to verify every single request or command.
How Do Kerberos Tickets Work?
Kerberos tickets authenticate user access to services. They also help servers compartmentalize access in cases where there are several users accessing the same service. This way, requests don’t leak into each other, and unauthorized persons cannot access data restricted to privileged users.
For example,Microsoft uses Kerberosauthentication protocol when users access Windows servers or PC operating systems. So, when you sign into your computer after a boot, the OS uses Kerberos tickets to authenticate your fingerprint or password.
Your computer temporarily stores the ticket in the Local Security Authority Subsystem Service (LSASS) process memory for that session. From there on, the OS uses the cached ticket forsingle sign-on authentications, so you don’t have to provide your biometrics or password every time you need to do something that requires administrative privileges.
On a larger scale, Kerberos tickets are used to safeguard network communications on the internet. This includes stuff like HTTPS encryption and username-password verification on login. Without Kerberos, network communications would be vulnerable to attacks likecross-site request forgery (CSRF)and man-in-the-middle hacks.
What Is Kerberoasting Exactly?
Kerberoasting is a method of attack where cybercriminals steal Kerberos tickets from servers and try to extract plaintext password hashes. At its core, this attack is social engineering,credential stealing, and brute-force attack, all rolled into one. The first and second steps involve the attacker impersonating a client and requesting Kerberos tickets from a server.
Of course, the ticket is encrypted. Nevertheless, obtaining the ticket solves one of two challenges for the hacker. Once they have the Kerberos ticket from the server, the next challenge is decrypting it by any means necessary. Hackers in possession of Kerberos tickets will go to extreme lengths to crack this file because of how valuable it is.
How Do Kerberoasting Attacks Work?
Kerberoasting exploits two common security mistakes in active directories—using short, weak passwords, and securing files with weak encryption. The attack begins with a hacker using a user account to request a Kerberos ticket from a KDC.
The KDC then issues an encrypted ticket as expected. Instead of using this ticket for authentication with a server, the hacker takes it offline and attempts to crack the ticket with brute force techniques. The tools used to do this are free and open-source, such as mimikatz, Hashcat, and JohnTheRipper. The attack can also be automated with tools like invoke-kerberoast and Rubeus.
A successful kerberoasting attack will extract plaintext passwords from the ticket. The attacker can then use that to authenticate requests to a server from a compromised user account. Worse still, the attacker can leverage the new-found, unauthorized access to steal data,move laterally in the active directory, and set up dummy accounts with admin privileges.
Should You Be Worried About Kerberoasting?
Kerberoasting is a popular attack on active directories, and you should be worried about it if you are a domain admin or blue team operator. There is no default domain configuration to detect this attack. Most of it happens offline. If you have been a victim of this, you will most likely know after the fact.
You can reduce your exposure by ensuring everyone on your network uses long passwords comprised of random alphanumeric characters and symbols. Furthermore, you should use advanced encryption and set up alerts for unusual requests from domain users. You will also need to guard against social engineering to prevent security breaches that start off Kerberoating in the first place.
Don’t just wait around for cyber attacks to happen. Have a plan of action!
When your rival has to bail out your assistant.
You can block out the constant surveillance and restore your privacy with a few quick changes.
Your phone is a better editor than you give it credit for.
Don’t let someone else take over your phone number.
You’re not getting the most out of what you pay for iCloud+.
