Kerberoasting¶

Attack to extract service account credential hashes from AD for offline cracking
Attacker only interacts with the KDC (DC), not with services

Requirements for an attacker to request an ST
- Valid domain account (control over a user's machine or knowing a user's password)
  - The user does not need permissions for the target service (any account can request STs for any service)
- Connection to KDC
- SPN of target services (Attacker can query AD to find SPNs of services)
Possible encryption algorithms used for ticket encryption
- DES (not supported since 2008 R2 / Windows 7)
- RC4 (MD4 for key derivation) \(\leftarrow\) best option for brute force
- AES128 (PBKDF2 for key derivation)
- AES256 (PBKDF2 for key derivation)
Used algorithm depends on domain level, config, account type etc.
KDC will always choose the highest mutually supported algorithm
When requesting a ticket, the client specifies which algorithms it supports \(\rightarrow\) Downgrade attack is possible (DC older than WinServer 2019)
- Downgrade attack even works, if the target account is configured to use AES only
- With WinServer 2019, DCs ignore the clients cipher proposals

Long passwords
Restrict privileges of service account
Only configure SPNs if required
Use group managed service accounts (GMSA), that offer automatic password management
Configure strong encryption: No DES / RC4 (relevant in WinServer 2019 and higher)
Implement monitoring and check for excessive ticket requesting, especially with RC4