{"id":471,"date":"2019-04-09T18:21:56","date_gmt":"2019-04-09T18:21:56","guid":{"rendered":"http:\/\/blog.redforce.io\/?p=471"},"modified":"2024-12-14T15:24:05","modified_gmt":"2024-12-14T15:24:05","slug":"oh-my-kerberos-do-not-get-kerberoasted","status":"publish","type":"post","link":"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/","title":{"rendered":"Oh, My Kerberos! Do Not Get Kerberoasted!"},"content":{"rendered":"<p>&nbsp;<\/p>\n<blockquote>\n<p style=\"text-align: center\">Part of an upcoming series trying to shed the light on attacks targeting Microsoft Kerberos implementation in Active Directory Environments.<\/p>\n<\/blockquote>\n<h3 style=\"text-align: center\"><span class=\"ez-toc-section\" id=\"Introduction_and_Brief_History\"><\/span>Introduction and Brief History<span class=\"ez-toc-section-end\"><\/span><\/h3><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69d5836537c59\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ff0000;color:#ff0000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ff0000;color:#ff0000\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69d5836537c59\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#Introduction_and_Brief_History\" title=\"Introduction and Brief History\">Introduction and Brief History<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#Service_Principal_Names_SPNs\" title=\"Service Principal Names (SPNs)\">Service Principal Names (SPNs)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#Key_Distribution_Center\" title=\"Key Distribution Center\">Key Distribution Center<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#How_Kerberos_Works\" title=\"How Kerberos Works?\">How Kerberos Works?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#What_is_the_difference_between_Kerberos_and_NTLM\" title=\"What is the difference between Kerberos and NTLM?\">What is the difference between Kerberos and NTLM?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#What_is_Kerberoast\" title=\"What is Kerberoast?\">What is Kerberoast?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#Launching_the_Attack\" title=\"Launching the Attack.\">Launching the Attack.<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#Refernces\" title=\"Refernces\">Refernces<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>According to myth, Cerberus guards the Gates to the Underworld. As It&#8217;s a big 3 headed dog with a snake&#8217;s tail. Back to our world, MIT Computer Scientists used the name and visual of Cerberus for their computer network authentication protocol. Kerberos uses symmetric key cryptography and requires trusted third-party authorization to verify user identities. Since Kerberos requires 3 entities to authenticate and has an excellent track record of making computing safer, the name really does fit. Still Continuing in our real-world Kerberos is the most widely deployed system for authentication and authorization in modern computer networks, Given Kerberos is the basis of\u00a0Microsoft Windows security, which drives us to mention that Microsoft Windows is the front door to the network for many users especially in the corporate scene, for example Kerberos (through Windows) is often the first thought for achieving Single Sign On.<\/p>\n<p>But before explaining \u201c<strong>How Kerberos Works?<\/strong>\u201d there are some general terms that you might not be familiar with, so let\u2019s run through them quickly.<\/p>\n<p>&nbsp;<\/p>\n<h3 style=\"text-align: center\"><span class=\"ez-toc-section\" id=\"Service_Principal_Names_SPNs\"><\/span>Service Principal Names (SPNs)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>SPN Purpose<\/strong><\/p>\n<p>A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.<\/p>\n<p><strong>SPN Format<\/strong><\/p>\n<p><strong><em><u>serviceclass<\/u><\/em><\/strong><strong><u>\/<em>host<\/em><\/u><\/strong><strong>:<em>port\u00a0servicename<\/em><\/strong><\/p>\n<p><em>serviceclass<\/em>\u00a0and\u00a0<em>host<\/em>\u00a0are required, but\u00a0<em>port<\/em>\u00a0and\u00a0<em>service<\/em>\u00a0name are optional. The colon between\u00a0<em>host<\/em>\u00a0and\u00a0<em>port<\/em>\u00a0is only required when a\u00a0<em>port<\/em>\u00a0is present.<\/p>\n<p>See the following table for a description of each element in the command above:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Element<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>serviceclass<\/td>\n<td>A string that identifies the general class of service; for example, &#8220;SqlServer&#8221;. There are well-known service class names, such as &#8220;www&#8221; for a Web service or &#8220;ldap&#8221; for a directory service. In general, this can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash (\/) to separate elements, so this character cannot appear in a service class name.<\/td>\n<\/tr>\n<tr>\n<td>host<\/td>\n<td>The name of the computer on which the service is running. This can be a fully-qualified DNS name or a NetBIOS name. Be aware that NetBIOS names are not guaranteed to be unique in a forest, so an SPN that contains a NetBIOS name may not be unique.<\/td>\n<\/tr>\n<tr>\n<td>port<\/td>\n<td>An optional TCP or UDP\u00a0port number to differentiate between multiple instances of the same service class on a single host computer. Omit this component if the service uses the default port for its service class.<\/td>\n<\/tr>\n<tr>\n<td>servicename<\/td>\n<td>An optional name used in the SPNs of a replicable service to identify the data or services provided by the service or the domain served by the service. This component can have one of the following formats:<\/p>\n<ul>\n<li>The distinguished name or objectGUID of an object in Active Directory Domain Services, such as a service connection point (SCP).<\/li>\n<li>The DNS name of the domain for a service that provides a specified service for a domain as a whole.<\/li>\n<li>The DNS name of an SRV or MX record.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Examples of SPN registrations:<\/p>\n<ul>\n<li><strong>HOST\/SERVER7.corp.local<\/strong>&#8211; Any service running on the computer with hostname SERVER7.corp.local<\/li>\n<li><strong>TERMSRV\/WORKSTATION03.corp.local<\/strong> &#8211; The Remote Desktop Protocol (RDP) service running on the computer with hostname WORKSTATION03.corp.local<\/li>\n<li><strong>MSSQLSvc\/SQLSERVER2.corp. local:1433<\/strong>\u00a0\u2013 The SQL Server listening on SQLSERVER2.corp.local, port 1433.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3 style=\"text-align: center\"><span class=\"ez-toc-section\" id=\"Key_Distribution_Center\"><\/span><strong>Key Distribution Center<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The Key Distribution Center (KDC) is implemented as a domain service. It uses the Active Directory as its account database and the Global Catalog for directing referrals to KDCs in other domains.<\/p>\n<p>As in other implementations of the\u00a0Kerberos protocol, the KDC is a single process that provides two services:<\/p>\n<ul>\n<li>Authentication Service (AS)<\/li>\n<\/ul>\n<p>This service issues ticket-granting tickets (TGTs) for connection to the ticket-granting service in its own domain or in any trusted domain. Before a client can ask for a ticket to another computer, it must request a TGT from the authentication service in the client&#8217;s account domain. The authentication service returns a TGT for the ticket-granting service in the target computer&#8217;s domain. The TGT can be reused until it expires, but the first access to any domain&#8217;s ticket-granting service always requires a trip to the authentication service in the client&#8217;s account domain.<\/p>\n<ul>\n<li>Ticket-Granting Service (TGS)<\/li>\n<\/ul>\n<p>This service issues tickets for connection to computers in its own domain. When clients want access to a computer, they contact the ticket-granting service in the target computer&#8217;s domain, present a TGT, and ask for a ticket to the computer. The ticket can be reused until it expires, but the first access to any computer always requires a trip to the ticket-granting service in the target computer&#8217;s account domain.<\/p>\n<p>The KDC for a domain is located on a domain controller, as is the Active Directory for the domain. Both services are started automatically by the domain controller&#8217;s\u00a0<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/ms721592(v=VS.85).aspx\"><em>Local Security Authority<\/em><\/a>\u00a0(LSA) and run as part of the LSA&#8217;s process. Neither service can be stopped. If the KDC is unavailable to network clients, then the Active Directory is also unavailable\u2014and the domain controller is no longer controlling the domain. The system ensures availability of these and other domain services by allowing each domain to have several domain controllers, all peers. Any domain controller can accept authentication requests and ticket-granting requests addressed to the domain&#8217;s KDC.<\/p>\n<p>&nbsp;<\/p>\n<h3 style=\"text-align: center\"><span class=\"ez-toc-section\" id=\"How_Kerberos_Works\"><\/span><strong>How Kerberos Works?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/04\/Visio-KerberosComms.png\" width=\"1197\" height=\"597\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/04\/Visio-KerberosComms.png\" width=\"1197\" height=\"597\" \/><\/noscript><\/p>\n<p style=\"text-align: center\">&#8220;Borrowed From\u00a0<a href=\"https:\/\/twitter.com\/PyroTek3?lang=en\">Sean Metcalf<\/a>&#8221; &#8211; <a href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/#Refernces\">Reference<\/a><\/p>\n<p>User logs on with username &amp; password.<\/p>\n<ol>\n<li>a. Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC as an authenticator in the authentication ticket (TGT) request (AS-REQ).<br \/>\nb. The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) &amp; creates Ticket-Granting Ticket (TGT).<\/li>\n<li>The TGT is encrypted, signed, &amp; delivered to the user (AS-REP).\u00a0<em>Only the Kerberos service (KRBTGT) in the domain can open and read TGT data.<\/em><\/li>\n<li>The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT &amp; validates PAC checksum \u2013 If the DC can open the ticket &amp; the checksum check out, TGT = valid. The data in the TGT is effectively copied to create the TGS ticket.<\/li>\n<li>The TGS is encrypted using the target service accounts\u2019 NTLM password hash and sent to the user (TGS-REP).<\/li>\n<li>The user connects to the server hosting the service on the appropriate port &amp; presents the TGS (AP-REQ). The service opens the TGS ticket using its NTLM password hash.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h3 style=\"text-align: center\"><span class=\"ez-toc-section\" id=\"What_is_the_difference_between_Kerberos_and_NTLM\"><\/span><strong>What is the difference between Kerberos and NTLM?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>&nbsp;<\/p>\n<p>Before Kerberos, Microsoft used an authentication technology called NTLM. NTLM stands for NT Lan Manager it\u2019s a challenge\/response-based authentication protocol that is the default authentication protocol of Windows NT 4.0 and earlier Windows versions. For backward compatibility reasons, Microsoft still supports NTLM in Windows Vista, Windows Server 2003 and Windows 2003 R2, Windows 2000, and Windows XP. Starting with Win2K, Microsoft implements Kerberos as the default authentication protocol for the Windows OS. This means that besides an NTLM authentication provider, every Windows OS since Win2K also includes a client Kerberos authentication provider.<\/p>\n<p>The biggest difference between the two systems is the third-party verification and stronger encryption capability in Kerberos. This extra step in the process provides a significant additional layer of security over NTLM.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3 style=\"text-align: center\"><span class=\"ez-toc-section\" id=\"What_is_Kerberoast\"><\/span><strong>What is Kerberoast?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>\u00a0<\/strong><\/p>\n<p>The Microsoft implementation of Kerberos can be a bit complicated, the attack takes advantage of legacy Active Directory support for older Windows clients and the type of encryption used and the key material used to encrypt and sign Kerberos tickets. Essentially, when a domain account is configured to run a service in the environment, such as MS SQL, a Service Principal Name (SPN) is used in the domain to associate the service with a login account. When a user wishes to use the specific resource, they receive a Kerberos ticket signed with NTLM hash of the account that is running the service. Remember that just requesting this ticket doesn&#8217;t grant access to the requesting user, as it\u2019s up to the server\/service to determine whether the user should be given access. <a href=\"https:\/\/files.sans.org\/summit\/hackfest2014\/PDFs\/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf\">Tim Medin (the researcher who discovered Kerberoast)<\/a> realized that because of this, and because part of a TGS requested for an SPN instance is encrypted with the NTLM hash of a service account\u2019s plaintext password. Therefore, the process of cracking Kerberos service tickets and rewriting them in order to gain access to the targeted service is called Kerberoast. at <a href=\"https:\/\/redforce.io\">RedForce<\/a> we use this attack often in our red team engagements as it doesn&#8217;t require any interaction with the service, we can request and export the service ticket which can be later cracked \u201cOFFLINE\u201d without fear of detection. in order to retrieve the plain-text password of the service. As service tickets are encrypted with the NTLM hash of the service account so any domain user without any special privileges you don&#8217;t have to be a domain admin neither local admin, just a domain user with the least possible privileges can dump hashes of services without even getting a shell into the system that is running the service.<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<h3 style=\"text-align: center\"><span class=\"ez-toc-section\" id=\"Launching_the_Attack\"><\/span><strong>Launching the Attack.<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>There are multiple ways to request a TGS, either by using the built-in Windows SetSPN.exe function or by using PowerShell and Python scripts. luckily and thanks to <a href=\"https:\/\/twitter.com\/harmj0y\">harmj0y<\/a> The PowerShell Empire project contains a script called Invoke-Kerberoast.ps1, which at first identifies all SPNs using the PowerView function\u2019s &#8220;<strong>Get-NetUser -SPN&#8221;<\/strong> then requests the associated TGS for each service account using <strong>Get-SPNTicket <\/strong>from PowerView . The TGS can be output directly in hashcat format for further offline cracking.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-483 \" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/invoke-kerberostat.png\" alt=\"\" width=\"864\" height=\"497\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-483 \" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/invoke-kerberostat.png\" alt=\"\" width=\"864\" height=\"497\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/invoke-kerberostat.png 940w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/invoke-kerberostat-300x173.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/invoke-kerberostat-768x442.png 768w\" sizes=\"auto, (max-width: 864px) 100vw, 864px\" \/><\/noscript><\/p>\n<p>after dumping the hash we proceed with cracking it, using hashcat.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-496 \" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/1-1.png\" alt=\"\" width=\"849\" height=\"560\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-496 \" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/1-1.png\" alt=\"\" width=\"849\" height=\"560\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/1-1.png 1096w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/1-1-300x198.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/1-1-768x507.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/1-1-1024x676.png 1024w\" sizes=\"auto, (max-width: 849px) 100vw, 849px\" \/><\/noscript><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-484 \" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/2.png\" alt=\"\" width=\"848\" height=\"632\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-484 \" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/2.png\" alt=\"\" width=\"848\" height=\"632\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/2.png 1096w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/2-300x224.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/2-768x572.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/2-1024x763.png 1024w\" sizes=\"auto, (max-width: 848px) 100vw, 848px\" \/><\/noscript><\/p>\n<p>Now as we successfully cracked the previously obtained hash we can go ahead and perform more in depth reconnaissance on the compromised service account using BloodHound which revealed that it is already a privileged account in the domain and can be used to perform lateral movement leading to compromise more systems across the domain.<\/p>\n<p><a href=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/blod2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-482 size-full\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/blod2.png\" alt=\"\" width=\"1920\" height=\"1017\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-482 size-full\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/blod2.png\" alt=\"\" width=\"1920\" height=\"1017\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/blod2.png 1920w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/blod2-300x159.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/blod2-768x407.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/04\/blod2-1024x542.png 1024w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/noscript><\/a><\/p>\n<p>&nbsp;<\/p>\n<h3 style=\"text-align: center\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion <\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Kerberoast is an\u00a0effective technique\u00a0for a red teamer who have limited privileges of a domain user. Depending on the strength of the passwords and since people tend to create poor passwords, an attacker can quickly gain access to the service account and move laterally to launch additional attacks. The attack itself cannot be prevented, but selecting strong complex passwords will make it more difficult.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Refernces\"><\/span><strong>Refernces<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>[1] https:\/\/technet.microsoft.com\/en-us\/library\/ee681663.aspx<br \/>\n[2] https:\/\/technet.microsoft.com\/en-us\/library\/ff405676.aspx<br \/>\n[3] https:\/\/github.com\/BloodHoundAD\/SharpHound<br \/>\n[4] https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/Microsoft.powershell.utility\/convertfrom-sddlstring<br \/>\n[5] https:\/\/adsecurity.org\/?p=2293<br \/>\n[6] https:\/\/medium.com\/@robert.broeckelmann\/kerberos-and-windows-security-series-59282e0f9465<br \/>\n[7] https:\/\/www.sans.org\/cyber-security-summit\/archives\/file\/summit-archive-1493862736.pdf<br \/>\n[8] https:\/\/www.youtube.com\/watch?v=HHJWfG9b0-E<br \/>\n[9] https:\/\/blogs.technet.microsoft.com\/askds\/2008\/03\/06\/kerberos-for-the-busy-admin\/<br \/>\n[10] https:\/\/www.scip.ch\/en\/?labs.20181011<br \/>\n[11] https:\/\/www.beneaththewaves.net\/Projects\/Mimikatz_20_-_Brute-Forcing_Service_Account_Passwords.html<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; Part of an upcoming series trying to shed the light on attacks targeting Microsoft Kerberos implementation in Active Directory &#8230;<\/p>\n","protected":false},"author":7,"featured_media":472,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62,61],"tags":[51,50,55,56,58,60,59,41,42,40,44,54,52,57,53,46,45,48,49,47,43],"class_list":["entry","author-hatem","post-471","post","type-post","status-publish","format-standard","has-post-thumbnail","category-active-directory","category-red-teaming","tag-active-directory","tag-ad","tag-authentication","tag-cerberos","tag-cracking","tag-hash","tag-hashcat","tag-kerberoasted","tag-kerberoasting","tag-kerberos","tag-microsoft","tag-mimikatz","tag-operation","tag-pentest","tag-powershell","tag-red-teaming","tag-redteam","tag-service","tag-service-accounts","tag-spn","tag-windows"],"_links":{"self":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/comments?post=471"}],"version-history":[{"count":17,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/471\/revisions"}],"predecessor-version":[{"id":499,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/471\/revisions\/499"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media\/472"}],"wp:attachment":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media?parent=471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/categories?post=471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/tags?post=471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}