What Is Kerberoasting and How Can I Prevent It?

Kerberoasting is a form of cyber attack that targets service accounts using the Kerberos authentication protocol. Attackers exploit the authentication protocol to extract password hashes and crack the plaintext passwords attached to the account. These attacks are prevalent because they can be difficult to notice and mitigate. Without implementing detection and prevention techniques, Kerberoasting becomes a serious threat because it allows cybercriminals to compromise highly privileged accounts and potentially set up authorization for future access.

Continue reading to learn more about Kerberoasting attacks and how you can protect your accounts against them. 

What Is Kerberos? 

Before understanding what Kerberoasting attacks are, you must first understand what Kerberos is and how it works. Kerberos is a computer network authentication protocol designed to confirm the validity of users through a ticket-granting service. This system consists of three main entities – the client, the server and a Key Distribution Center (KDC). 

Kerberos is a widely used, built-in protocol in Windows Activity Directory (AD) environments. It is also used in other popular operating systems such Apple macOS, Linux and FreeBSD.

How Do Kerberoasting Attacks Work?

Understanding the inner process of Kerberoasting attacks is crucial when putting prevention techniques into action. Here are the typical steps an attacker takes to infiltrate service accounts. 

1. Compromising an account

The first thing the attacker does is target a weak service account associated with a Service Principal Name (SPN), which is a unique identification that allows users into a specific account. Attackers specifically go after SPNs because Kerberos authentication strictly uses the SPN to facilitate the service to the client.

2. Requesting multiple tickets 

The attacker then leverages the compromised account and impersonates the account user to request numerous tickets from the Key Distribution Center (KDC), a domain that controls who can access a network. 

3. Decrypting the password and brute force attacking

Once the attacker receives a ticket from the Ticket Granting Service (TGS), they extract it and use a variety of offline tools and techniques to decrypt the password. Brute force attack techniques are often used to crack the password hash. This method involves entering numerous password combinations until the correct one is discovered. 

4. Gaining full access to the server

After an attacker successfully enters the account, they are able to access all networks, resources, information and data. In most cases, attackers will grant themselves higher account privileges where they can access more sensitive data, perform malicious actions and set up back doors for future access. 

How To Detect Kerberoasting

Detecting Kerberoasting attacks as early as possible can help minimize the damage. Here are two signs to watch out for that may indicate a Kerberoasting attack. 

RC4 encryption

RC4 encryption is one of the most common stream ciphers due to its simplicity and speed. Attackers typically use this technique to encrypt data and run brute force attacks. Therefore when you are receiving ticket requests that are encrypted using an RC4 encryption algorithm, the first step you should take is immediately disabling the use of RC4 for Kerberos authentication. 

Unusual amount of TGS requests

If you are getting an unusual amount of ticket-granting service requests, it should be immediately looked into. A good practice is establishing a baseline of what an abnormal request volume is. This creates better structure and security overall. 

How To Prevent Kerberoasting

Kerberoasting attacks can seem intimidating but do not fret, there are several ways to protect yourself and your organization against them. Here are five best practices to avoid these attacks. 

Create strong passwords

One of the easiest and most effective ways to prevent Kerberoasting is to use strong passwords since passwords are usually the first target for cyber attacks. Having a solid foundational barrier makes it harder for attackers and makes your organization less vulnerable. A strong password should be unique, complex and long. Using a simple password that contains personal information or common sequences may be easy to remember, but it is considered a weak password. Weak passwords can be easily cracked, increasing the risk of getting hacked. 

A strong password should include a random combination of numbers, letters and symbols. Consider using a password manager, a tool designed to prevent compromised accounts by generating and securely storing all your passwords in one place.

Enable MFA

Multi-Factor Authentication (MFA) is an extra layer of security that requires users to enter additional information in addition to their username and password. This extra step of proving your identity reduces the overall risk of a security breach. There are several types of authentication factors such as a one-time code, biometric authentication, geographic location or a security question. Since many people use weak passwords, enabling MFA is an extra measure to keep your account safe. 

Follow the Principle of Least Privilege (PoLP)

Following the principle of least privilege is a fundamental concept because it limits users’ access to only their essential system resources and functions. By carefully managing certain access rights and permissions, organizations reduce the risk of breaches and the potential impact of one if it’s successful. 

Identity Security Strategy

A strong identity and access management strategy is a comprehensive framework and set of standard practices that help protect an organization. It can contain policies and procedures to ensure that only authorized individuals have access to the organization’s services. One common way to approach this strategy is implementing a Privileged Access Management (PAM) solution. PAM solutions focus on restricting and monitoring an organization’s privileged accounts that have access to sensitive information. Instead of manually managing these privileged users, PAM offers a more productive and simple solution. 

Avoid Kerberoasting Attacks With Keeper

With one weak password and lack of surveillance, Kerberoasting attackers can easily gain access to critical accounts and cause significant damage to your organization. In today’s cybersecurity environment, safeguarding against Kerberoasting attacks is vital for preserving sensitive information. 

Keeper’s next-generation PAM solution, KeeperPAM™, enables organizations to keep track of and protect every privileged user by combining Enterprise Password Management (EPM), Keeper Secrets Management (KSM) and Keeper Connection Management (KCM) into a single platform.

To see how KeeperPAM can keep your organization protected against Kerberoasting attacks, request a demo today.