Steal or Forge Kerberos Tickets: Kerberoasting


Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.[1][2]Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service[3]).[4][5][6][7]Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).[1][2] Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Identity ExposureActive DirectoryAuthenticated AD userLDAP/S(389/636)Domain User + SPNPlugin ID: 22-C-KERBEROS-CONFIG-ACCOUNT:R-KERB-WEAK-CONFIG-ACCOUNT
Tenable Identity ExposurePassword SyncActive DirectoryPrivileged AD userRPC (135 + high ports)User PasswordPlugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-WEAK-USER-PASSWORD


Tenable Identity Exposure DCSync feature

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Sub-Technique: Kerberoasting

Platform: Windows

Products Required: Tenable Identity Exposure

Tenable Release Date: 2022 Q2