Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Windows Active Directory offline, sensibly reducing any chance of being detected.
To understand how Kerberoasting attacks work, it’s helpful to know something about the Kerberos implementation in Windows. Oliver Kunz explains the fundamental concepts in his article Kerberos Key Distribution Center Proxy. In short, when a user logs in, they receive a Ticket Granting Ticket (TGT) from the key distribution center. The TGT is signed by the account krbtgt and is treated as the user’s proof of identity. With the TGT the user can request service tickets (TGS) for specific resources within the domain. Part of a TGS is encrypted with the NT hash (NTLM hash) of the service account for the requested resource. Windows uses service principal names (SPNs) to identify which service account is being used to encrypt the TGS. There are two kinds of SPNs:
- Host-based SPNs that are linked to the computer account
- SPNs that have been linked with a domain user account
Host-based accounts are of no use in Kerberoasting attacks, because a computer account in Active Directory has a randomly generated 128-character long password which is changed every 30 days. But if an SPN is registered for a domain user account in order to run Microsoft SQL server instances, for example, then the NT hash of the user’s password will be used. If a service account has a weak password, the attacker has a good chance of being able to crack it.
Each domain user can request a TGS from a domain controller for any service that has a registered SPN. When the TGS is created, the domain controller does not check whether the requesting user is authorized to access the respective resource. Verifying credentials is left up to the service set up to handle this task in the Kerberos implementation in Windows. A hacker can use this ticket offline to figure out the password for the service account because the ticket has been encrypted with the NT hash of the service account.
In a nutshell, a Kerberoasting attack allows any valid domain account to request a Kerberos service ticket for any service and then use the ticket for offline password cracking attempts.