AD Attacks - KerbeRoasting

Table of contents :

Introduction

Service Principal Name (SPN) on an AD Account

A Service Principal Name (SPN) is a unique identifier for a service instance in a Windows environment that uses Kerberos authentication. It consists of the service class, hostname, and port of the service it represents. SPNs are used to associate a service with a service logon account. When a client wants to authenticate to a service, it uses the SPN to find the appropriate service account in Active Directory.

Understanding and correctly configuring SPNs is crucial for ensuring proper authentication and delegation in Active Directory environments. Incorrect or missing SPNs can lead to authentication failures and security vulnerabilities.

To create an SPN for a service account, you can use the setspn command-line tool in Windows. It allows you to add, delete, and list SPNs associated with an account.

For example, to add an SPN for a web service running on a server named “webserver” and listening on port 80, you would use the following command:

Detecting vulnerable accounts

To be vulnerable to the KerbeRoasting attack, an Active Directory account must have:

  • At least one servicePrincipalName set on the properties of their account (in the LDAP).
  • A weak password.

Machine accounts are not vulnerable by default, since they do have a servicePrincipalName set, but their password is insanely long and random. It cannot be cracked by currently known techniques.

Performing KerbeRoasting attack

In order to perform a KerbeRoasting attack, an attacker first need to identify the user accounts with at least one servicePrincipalName set. Then