Dark Mode

Settings

Capec-509 Detail

Kerberoasting

Detailed Software Typical Severity: High

Parents: 652

Threats: T71 T75 T279 T283 T385 T388 T398 T402

Description

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

Not present

External ID Source Link Description
CAPEC-509 capec https://capec.mitre.org/data/definitions/509.html
CWE-522 cwe http://cwe.mitre.org/data/definitions/522.html
CWE-308 cwe http://cwe.mitre.org/data/definitions/308.html
CWE-309 cwe http://cwe.mitre.org/data/definitions/309.html
CWE-294 cwe http://cwe.mitre.org/data/definitions/294.html
CWE-263 cwe http://cwe.mitre.org/data/definitions/263.html
CWE-262 cwe http://cwe.mitre.org/data/definitions/262.html
CWE-521 cwe http://cwe.mitre.org/data/definitions/521.html
T1558.003 ATTACK https://attack.mitre.org/wiki/Technique/T1558/003 Steal or Forge Kerberos Tickets:Kerberoasting
REF-559 reference_from_CAPEC https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ Jeff Warren, Extracting Service Account Passwords with Kerberoasting, 2017--05---09
REF-585 reference_from_CAPEC https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ Kerberoasting Without Mimikatz, 2016--11---01
REF-586 reference_from_CAPEC https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/ Invoke-Kerberoast
Explore

  1. Scan for user accounts with set SPN values

    2. Techniques
    These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.

  2. Request service tickets

    3. Techniques
    Using user account's SPN value, request other service tickets from Active Directory
Experiment

  1. Extract ticket and save to disk

    2. Techniques
    Certain tools like Mimikatz can extract local tickets and save them to memory/disk.
Exploit

  1. Crack the encrypted ticket to harvest plain text credentials

    2. Techniques
    Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
  1. The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.
  2. The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).
  3. The adversary requires a brute force tool.

Not present

Medium
Confidentiality
Gain Privileges
  1. PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]

We use cookies to ensure you get the best experience on our website.