Kerberos
Kerberoasting Attack
Kerberoasting is a a post-exploitation attack in Active Directory.
Attackers use this technique to steal service account passwords without needing administrator privileges.
Understanding Kerberos
- Kerberos is a network authentication protocol used in Windows AD.
- It uses tickets to authenticate users instead of sending passwords over the network.
How Kerberoasting Works
- Service accounts run various applications in AD (e.g., SQL Server, Web Apps).
- These accounts have passwords stored as NTLM hashes and are used to encrypt service tickets (TGS tickets) .
- Attackers request a service ticket , extract the hash, and try to crack it offline to recover the password.
3. Tools Used for Kerberoasting
- Impacket (Python-based) → `GetUserSPNs.py` script
- Rubeus (C# tool for Kerberos attacks)
- Mimikatz (Windows post-exploitation tool)
4. Why is this dangerous?
- If the service account has weak credentials , an attacker can easily crack the hash and use it to move laterally in the network.
Question 1.
Which authentication protocol does Kerberoasting exploit?
Question 2.
Which ticket is extracted in a Kerberoasting attack?
Question 3.
What type of Windows account is targeted?
Question 4.
What is the attacker's main goal in Kerberoasting?
Question 5.
What encryption type is commonly used in Kerberos tickets?
Question 6.
What privilege level is required for Kerberoasting?
Question 7.
Which AD attribute is linked to Kerberoasting?
Question 8.
Which hashing algorithm is cracked in Kerberoasting?
Question 9.
Which Kerberos component issues service tickets?
Question 10.
What default port does Kerberos use?
Question 11.
Which Impacket script is used for Kerberoasting?
Question 12.
Which C# tool performs Kerberoasting?
Question 13.
Which tool extracts Kerberos tickets from memory?
Question 14.
Which Mimikatz command lists Kerberos tickets?
Question 15.
Which tool cracks Kerberoasted hashes?
Question 16.
Which Rubeus command extracts TGS tickets?
Question 17.
What PowerShell command lists SPNs?
Question 18.
Which event ID logs Kerberos ticket requests?
Question 19.
Which protocol helps prevent Kerberos replay attacks?
Question 20.
What Windows service handles Kerberos authentication?
Question 21.
What is a strong defense against Kerberoasting?
Question 22.
Which security policy reduces Kerberoasting risk?
Question 23.
Which Windows feature detects Kerberoasting attempts?