Kerberos is a strong authentication protocol that can be used in an open unprotected network. Despite it’s strength, there are some attacks that can be done against Kerberos which are as follows:
Kerberoasting is post-exploitation attack technique. In this attack, the attacker has a compromised authenticated user’s account in a domain and targets Service Accounts on the Active Directory. Each Service Accounts has a Service Principal Name (SPN). A SPN is a unique name given to each Service Instance in a domain. The attacker discovers the Service Principal Names (SPNs) in a domain. The attacker requests for Service Ticket (ST) from the Ticket Granting Service (TGS) for a Service Principal Name (SPN) that it has obtained. The TGS sends back the ST. The Attacker collects many STs for different SPNs in the domain. The ST has parts encrypted with the Service Account’s password (NTLM Hash Password). Then the attacker uses offline password breaking techniques with tools like Hashcat and John the Ripper to crack the passwords from each ST. Using the password, the attack can get access into the domain systems.
Reference: MITRE – Steal or Forge Kerberos Tickets: Kerberoasting, Sub-technique T1558.003
AS-REP Roasting is post-exploitation Credential Access technique where the attacker targets user’s password. Pre-Authentication is the step during the Kerberos initial authentication phase, where the client sends both username and the password for authenticating itself to the Authentication Server. In the Authentication Server Request (AS-REQ), the username and an encrypted timestamp using NTLM password hash is sent to the AS. The AS validates the identity of the user using the username and then decrypts the encrypted timestamp using the NTLM password hash from extracted from it’s database. If it’s able to decrypt and get the timestamp, authentication is considered successful. For user accounts for which, the pre-authentication is not enabled, the client only sends the username which can be used for identification but not authentication. With pre-authentication disabled compromised accounts, the attacker sends AS-REQ without the password authentication and gets the AS-REP from the TGS that consists of the Ticker Granting Ticket (TGT) and Client/TGS Session Key encrypted with the client’s NTLM password hash. The encrypted session key can be cracked offline using password crackers like Hashcat and John the Ripper to get the user password.
Reference: MITRE – Steal or Forge Kerberos Tickets: AS-REP Roasting, Sub-technique T1558.004
Golden Ticket Attack is post-exploitation attack technique. In this attack, the attacker will have the privilege access to the domain controller. The attacker extracts, the TGT’s NTLM password hash using tools like Mimikatz. Using the TGT’s NTLM password hash, the attacker signs their own tickets with no lifetime restriction or long lifetimes and hence getting complete access to the domain with no time limitations and thus is known as Golden Ticket attack.
Reference – Steal or Forge Kerberos Tickets: Golden Ticket, Sub-technique T1558.001 – Enterprise | MITRE ATT&CK®
Silver Ticket Attack is post-exploitation attack technique. In this attack, the attacker targets specific Service Access by compromising and getting the NTLM password hash from a mis-configured configured Service Accounts using tools like Mimikatz. Using the Service Accounts and it’s NTLM password hash, attacker creates fake Service Tickets and gets access to the services in the domain required.
Reference – Steal or Forge Kerberos Tickets: Silver Ticket, Sub-technique T1558.002 – Enterprise | MITRE ATT&CK®