Cracking Service Account Passwords with Kerberoasting

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Threat detection is a hot topic in security today. By now, most recognize it’s important to manage administrative rights and take a centralized approach to security so as not to mismanage (or lose track of) older systems and applications. However, today, there are new considerations. Keberoasting has emerged as a way attackers exploit Windows authentication protocol without the need to access an administrative account.

Kerberos’ legacy implementation in the Active Directory is targeted as a key vulnerability by malicious actors. Kerberoasting in particular aims to crack passwords of service accounts and can be effective by capitalizing on human nature. It is commonplace to create simple, easy to remember passwords, especially when these are shared. Keep in mind, that these accounts do not require admin rights, they simply have to be a valid domain user.

When a privileged domain account is configured to run a service in the environment, such as MS SQL, a Service Principal Name (SPN) is assigned in the domain to associate the service with that interactive service account. However, it’s important to remember that many service accounts historically have too many administrative rights. Every least privileged user who wants to use that specific resource receives a Kerberos ticket signed with an NTLM hash of the privileged account that is running the service.

This inherently creates a vulnerability, and a malicious actor could then take the Kerberos ticket offline onto his/her attacking machine that utilizes password cracking methods such as brute force, rainbow tables, etc., until the correct service account password is discovered. From there, the attacker can utilize that service account’s cleartext password to move laterally throughout the entire network.

To identify these types of vulnerabilities, CyberArk Labs has built a tool called Zbang, which allows organizations to scan and detect risks related to: Shadow admins, Risky SPNs, SID histories, Skeleton Keys and Delegation. Zbang helps organizations to map out where these types of vulnerabilities exist. That information can then be digested by IT admins and  onboarded into the CyberArk Privileged Access Security Solution, which is able to detect suspicious activity occurring with service accounts, as well as highlight and manage these risky SPNs — accounts that are at high risk for a Kerberoasting attack.

In the demo video below, we walk through a Red Team / Blue Team example of a real time Kerberoasting attack. The Red Team member uses John the Ripper, a frequently used open-source software, to crack a service account password and gain unauthorized access. The Blue Team member then leverages CyberArk Privileged Threat Analytics to detect this malicious behavior and stop the attack from causing irrevocable damage to the network.

Request a live demo to see CyberArk Privileged Threat Analytics in action. We’ll also demonstrate Kerberoasting during CyberArk Impact 2018 in Boston from July 16-18th:

  • Deep Dive on Kerberoasting and Other Kerberos Attacks
  • More Zbang for the zBuck: How Zbang Can Be Used to Discover Hidden Risks

For more information about the Zbang tool, please reach out to your Account Team and they will be happy to provide further details and deliver the tool.


The post Cracking Service Account Passwords with Kerberoasting appeared first on CyberArk.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?