What is Kerberoasting?
Kerberoasting is an attack against Kerberos that attempts, from an unprivileged user, to obtain the passwords linked to an Active Directory service account.
When a user wishes to authenticate to a service, the KDC returns a TGS ticket containing data encrypted with a key derived from the service’s account password. Therefore, it is possible to attempt to crack these tickets to discover the service account password. This attack can be successful when the service is configured with a normal user account (as opposed to a managed or machine account) as the complexity and password rotation rests solely with the individual.
In addition, it is not uncommon for these service accounts to have lifted privileges, so it is a technique that can yield very good results as a possible way to lift privileges. However, nowadays there is more and more awareness and therefore it is more common to find mitigations to eliminate the risk of this possible vector, as well as ways of detection such as the use of decoy beads.
Cybersecurity articles related to DCSync
Tarlogic’s website features a number of technical articles on cybersecurity that are related to DCSync.
- Kerberos (I): How does Kerberos work? – Theory
- Kerberos (II): How to attack Kerberos?
- Kerberos (III): How does delegation work?
- N-day exploit: Kerberos EoP in Linux environments
- Kerberos tickets: Comprehension and exploitation