Kerberoasting Attacks – 7 Effective Ways To Prevent an Attack on Windows

October 30, 2023

6 Mins Read

Table of Contents

A Kerberoasting attack is a cyber threat tactic that uses the Kerberos authentication process, which Microsoft Directory actively uses.

In this type, malicious or harmful actors use special tools to extract encrypted Kerberos tickets from a network. Once obtained, they attempt to decrypt these tickets into a readable format and gain access to information stored within the network.

Such attacks are famous for impersonating the user so that sensitive information can be obtained. In this article, we will explore the concept of Kerberoasting attacks and the potential risks they pose.

Understanding the Connection between Kerberos and Service Accounts

Service accounts are user accounts that run services on Windows systems. They often have elevated privileges, such as Domain Admin rights, which enable them to perform tasks.

When hackers request service tickets from the Kerberos Distribution Center (KDC) using service accounts, they receive encrypted tickets that are safeguarded by the password hash associated with those service accounts.

Hackers then launch brute force attacks to crack these password hashes and gain entry into the system.

Types of Kerberoasting Attacks

Source

Kerberoasting attacks are of several types. They range from SPN Scanning to service account password cracking (Kerberoasting) to persistence attacks. Let’s have a look at them.

SPN Scanning

SPN scanning is a reconnaissance technique attackers use to identify services running on a network.

Attackers send requests to the Kerberos Key Distribution Center (KDC) and request specific SPN types. The KDC, in response, generates a list of services corresponding to the requested SPN type.

SPN and Kerberoasting

In this type, attackers crack service account passwords. After requesting for the Kerberos Key Distribution Center (KDC) and requesting for specific SPN types, attackers obtain the password hashes from the ticket.

Offline attacks can then be used to decrypt the password hashes. For example, dictionary attacks or brute force attacks.

Persistent Attacks

In persistent attacks, attackers can still access the victim’s system and network despite being removed or detected.

They employ various strategies to execute a persistent attack, using Silver and Golden Tickets.

Silver Tickets

In silver ticket attacks, fake Kerberos TGS (Ticket-Granting Service) tickets are used. Attackers can access any user or service on the network by forging the TGS tickets.

They use the silver keys to access the compromised network even after getting removed.

With silver tickets, hackers can crack the password of the host service account. It is followed by creating a new scheduled task and gaining access to the hash of the Kerberos TGT account.

Once the attacker has the hash of the KRBTGT account, they make a Golden Ticket.

Golden Tickets

Golden Tickets are commonly used in privilege escalation attacks. Golden tickets are fake Ticket-Granting Tickets (TGT) used to access any resource on the network.

After gaining access to the network, attackers use Golden Tickets to execute attacks at the domain administrator level.

Attackers can obtain a Golden Ticket once the Kerberos Key Distribution Centre (KDC) has been compromised.

These tickets are extremely dangerous as they grant attackers complete network access and control.

Hackers can then conduct as many malicious activities as they want within the compromised network. It becomes an easy task to steal data, install malware, or even disrupt a network.

Famous Kerberoasting Attacks

Let’s have a look at some of the famous Kerberoasting attacks.

Operation Wocao

During Operation Wocao, hackers used PowerSploit’s Invoke-Kerberoast module to access the authentication data through encrypted service tickets.

The brute force method was used to get the login credentials of these service accounts. The passwords were weak and commonly shared amongst multiple accounts.

After guessing the passwords, they compromised the network.

Source

Solorigate Backdoor Incident

It is the most famous Kerberoasting attack. Attackers in the Solorigate Backdoor Incident obtained unauthorized access to the victim’s private information.

They were also able to spread laterally within the victim’s network.

It is believed the hacker belonged to a proficient group of APT29 and executed the highly sophisticated backdoor known as Solorigate.

The cyber attack targeted various organizations, including government agencies and technology companies. To achieve their objectives, attackers used Kerberoasting to crack the Service account password.

FIN7 Threat Group

The FIN7 threat group also used Kerberoasting to steal the login credentials of the service account and spread it across the entire network.

What Possible Threats Can Occur Due To Kerberoasting Attack?

After gaining access to the victim’s system and network, the attacker can plan and execute multiple malicious activities. A few are mentioned below.

Elevate Privileges

The lousy actor with the service ticket can gain elevated privileges on the network by pretending to be someone else.

Once he has the key, he can access data and information that was impossible to obtain otherwise.

For example, bad actors can gain administrative access with the Kerberos tickets. This way, they can keep tabs on every network on the server and install malware or steal data.

DDoS Attacks

As mentioned above, hackers can gain administrative access to a network and exploit it as they want.

They can launch denial-of-service (DoS) attacks. DDoS attackers overwhelm the system by burdening it with more traffic than it can manage.

Directing Users to Malicious Websites

Attacks through Kerberoasting attack pretend to be a legitimate user of the network. They exploit the victim’s system and send contaminated data to other users on that network.

When the users click on the infected links, they are directed to a malicious website.

Once the user is in the attacker’s chosen location, they become vulnerable to information loss and computer-based attacks.

Injecting Malware (Trojans)

Users within the network are directed to malicious websites that contain irrelevant and misleading content. From the same websites, users can also download negative information into their systems.

Trojan is the most commonly found malware attackers use to steal your information. Trojan runs silently in the background without anybody’s knowledge.

Bad actors can then exploit the system, extract sensitive data, and spy on the victim.

How To Prevent Kerberoasting Attacks: 7 Effective Ways

Here is how to stay safe:

Implement Kerberos Constrained Delegation (KCD)

Users can protect themselves and their networks by implementing KCD. It limits the permissions to Kerberos tickets.

Organizations with KCD allow a web server to share its Kerberos access rights with a database server, but only for a specific database.

The web server will be unable to use its access to other databases or other areas of the network. This will keep all the operations in control and check.

Deception Technology

Kerberoasting attacks can be prevented using Deception technology. It includes decoys, lures, and bait to defend against Kerberoasting attacks.

It creates fake accounts to request service tickets from the Kerberos authentication service while monitoring the activity.

Furthermore, it also detects attempts to crack passwords. If an attacker attempts to attack against a decoy, it alerts the security team. The alert provides information about the attack and techniques to track it down.

However, deception technology is not a complete solution, and organizations must use a combination of security measures.

Network Segmentation

Hackers spread laterally in a network after successfully planting a Kerberoasting Attack. Network segmentation enables you to divide your data into multiple parts to avoid an overflow.

This will ensure that your networks can hold the data within their capacity and size, and eventually, the data flow will be smooth.

Several layers will be created across your network, and it will become challenging for any hacker to break into your system as he will have to crack all the segments of the data to reach the core control system of your network.

This division of data will act as a safety barrier for your data.

Air Gapping

Air gapping can be used to mitigate the risk of Kerberoasting attacks. In this method, you keep your sensitive data separate from other data at an unreachable place by the hackers.

This way, that particular system or data will be air-gapped and won’t have automatic access to other networks.

One example of this could be moving your entire system to an area that is isolated from the rest of your plans.

Endpoint Protection

End-point protection can be installed in each segment. Even if the hackers enter the network, they won’t be able to manipulate the data due to the additional security protocol.

Firewalls are commonly used to protect endpoints. Firewalls create a barrier between your network and external forces.

They do not allow processing of the request sent by the hacker and block it.

Two-Factor Authentication

Two-factor authentication protects your system by asking for an additional code when someone outside the network tries to log in to your account.

A code will be sent to you if someone attempts to go unauthorized from a different location and device.

When you enable two-factor authentication on your account, you will receive a code either on your mobile number or your email address.

Despite guessing your password, hackers cannot enter your account as this additional information will add a layer of security.

Use a VPN

Having a reliable VPN is always a good idea to enjoy base-level security.

VPN provides anonymity, masks your IP address, and offers encryption that enhances your chances of not being affected by cyber attacks, including Kerberoasting.

Stay Safe, Not Sorry

Kerberoasting attacks are a dangerous threat to your network security. Attackers take advantage of vulnerabilities within the system to compromise your sensitive data.

Thus, it would help if you implemented stringent protection measures against Kerberoasting attacks to safeguard your network from potential threats.

Marrium Akhtar

October 30, 2023

6 months ago

Marrium is a dedicated digital Marketer and an SEO enthusiast who is skilled in cracking SEO codes. Other than work, she loves to stream, eat, and repeat.

Have Your Say!!

Cookie	Duration	Description
__stripe_mid	1 year	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid	30 minutes	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
Affiliate ID	3 months	Affiliate ID cookie
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Data 1	3 months
Data 2	3 months	Data 2
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
woocommerce_cart_hash	session	This cookie is set by WooCommerce. The cookie helps WooCommerce determine when cart contents/data changes.
XSRF-TOKEN	session	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__lc2_cid	2 years	This cookie is used to enable the website live chat-box function. It is used to reconnect the customer with the last agent with whom the customer had chatted.
__lc2_cst	2 years	This cookie is necessary to enable the website live chat-box function. It is used to distinguish different users using live chat at different times that is to reconnect the last agent with whom the customer had chatted.
__oauth_redirect_detector		This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
Affiliate ID	3 months	Affiliate ID cookie
Data 1	3 months
Data 2	3 months	Data 2
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_J2RWQBT0P2	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_12584548_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_UA-12584548-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjIncludedInSessionSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
PAPVisitorId	1 year	This cookie is set by the Post Affiliate Pro.This cookie is used to store the visitor ID which helps in tracking the affiliate.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_app_session	1 month	No description available.
_dc_gtm_UA-12584548-1	1 minute	No description
_gfpc	session	No description available.
71cfb2288d832330cf35a9f9060f8d69	session	No description
cli_bypass	3 months	No description
CONSENT	16 years 6 months 13 days 18 hours	No description
gtm-session-start	2 hours	No description available.
isoCode	1 month	No description available.
L-k26wU	1 day	No description
L-KVHA4	1 day	No description
m	2 years	No description available.
newVisitorId	3 months	No description
owner_token	1 day	No description available.
PP-k26wU	1 hour	No description
PP-KVHA4	1 hour	No description
RL-k26wU	1 day	No description
RL-KVHA4	1 day	No description
wisepops	2 years	No description available.
wisepops_session	session	No description available.
wisepops_visits	2 years	No description available.
woocommerce_items_in_cart	session	No description available.
wp_woocommerce_session_1b44ba63fbc929b5c862fc58a81dbb22	2 days	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.