Cracking Service Account Passwords with Kerberoasting

July 16, 2018 Andrew Silberman


Threat detection is a hot topic in security today. By now, most recognize it’s important to manage administrative rights and take a centralized approach to security so as not to mismanage (or lose track of) older systems and applications. However, today, there are new considerations. Keberoasting has emerged as a way attackers exploit Windows authentication protocol without the need to access an administrative account.

Kerberos’ legacy implementation in the Active Directory is targeted as a key vulnerability by malicious actors. Kerberoasting in particular aims to crack passwords of service accounts and can be effective by capitalizing on human nature. It is commonplace to create simple, easy to remember passwords, especially when these are shared. Keep in mind, that these accounts do not require admin rights, they simply have to be a valid domain user.

When a privileged domain account is configured to run a service in the environment, such as MS SQL, a Service Principal Name (SPN) is assigned in the domain to associate the service with that interactive service account. However, it’s important to remember that many service accounts historically have too many administrative rights. Every least privileged user who wants to use that specific resource receives a Kerberos ticket signed with an NTLM hash of the privileged account that is running the service.

This inherently creates a vulnerability, and a malicious actor could then take the Kerberos ticket offline onto his/her attacking machine that utilizes password cracking methods such as brute force, rainbow tables, etc., until the correct service account password is discovered. From there, the attacker can utilize that service account’s cleartext password to move laterally throughout the entire network.

To identify these types of vulnerabilities, CyberArk Labs has built a tool called Zbang, which allows organizations to scan and detect risks related to: Shadow admins, Risky SPNs, SID histories, Skeleton Keys and Delegation. Zbang helps organizations to map out where these types of vulnerabilities exist. That information can then be digested by IT admins and  onboarded into the CyberArk Privileged Access Security Solution, which is able to detect suspicious activity occurring with service accounts, as well as highlight and manage these risky SPNs — accounts that are at high risk for a Kerberoasting attack.

In the demo video below, we walk through a Red Team / Blue Team example of a real time Kerberoasting attack. The Red Team member uses John the Ripper, a frequently used open-source software, to crack a service account password and gain unauthorized access. The Blue Team member then leverages CyberArk Privileged Threat Analytics to detect this malicious behavior and stop the attack from causing irrevocable damage to the network.

Request a live demo to see CyberArk Privileged Threat Analytics in action. We’ll also demonstrate Kerberoasting during CyberArk Impact 2018 in Boston from July 16-18th:

  • Deep Dive on Kerberoasting and Other Kerberos Attacks
  • More Zbang for the zBuck: How Zbang Can Be Used to Discover Hidden Risks

For more information about the Zbang tool, please reach out to your Account Team and they will be happy to provide further details and deliver the tool.


Previous Article
What Harry Potter Teaches Us about Constant Vigilance and Insider Threats
What Harry Potter Teaches Us about Constant Vigilance and Insider Threats

The character of Mad Eye Moody in “Harry Potter and the Goblet of Fire” preached “constant vigilance” again...

Next Article
Securing Privileged Access within Microsoft’s Enhanced Security Administrative Environments (ESAE)
Securing Privileged Access within Microsoft’s Enhanced Security Administrative Environments (ESAE)

Learn how CyberArk can help secure privileged access, create credential boundaries and provide enhanced aud...