Kerberos
Kerberos is a network authentication protocol designed to provide secure and encrypted authentication between users and services. It uses a ticket-based system to verify identities without transmitting passwords over the network. Developed by MIT, Kerberos is widely used in Windows Active Directory and other enterprise environments. It relies on a Key Distribution Center (KDC) to issue tickets, ensuring secure authentication and preventing credential theft through replay attacks.
Kerberoasting is a a post-exploitation attack in Active Directory.
Attackers use this technique to steal service account passwords without needing administrator privileges.
Understanding Kerberos
- Kerberos is a network authentication protocol used in Windows AD.
- It uses tickets to authenticate users instead of sending passwords over the network.
How Kerberoasting Works
- Service accounts run various applications in AD (e.g., SQL Server, Web Apps).
- These accounts have passwords stored as NTLM hashes and are used to encrypt service tickets (TGS tickets) .
- Attackers request a service ticket , extract the hash, and try to crack it offline to recover the password.
3. Tools Used for Kerberoasting
- Impacket (Python-based) → `GetUserSPNs.py` script
- Rubeus (C# tool for Kerberos attacks)
- Mimikatz (Windows post-exploitation tool)
4. Why is this dangerous?
- If the service account has weak credentials , an attacker can easily crack the hash and use it to move laterally in the network.