Kerberos

Question 1

Explain Kerberoasting and its implications.

Answer 1

Kerberoasting involves an authenticated user requesting a Service Ticket (TGS) for an account with an SPN. Since the ticket is encrypted with the service account’s hash, it can be cracked offline. It allows for stealthy privilege escalation without direct service interaction.

Question 2

How does Kerberoasting exploit Kerberos protocol design?

Answer 2

It exploits the fact that the KDC does not check if a user has permission to a service before issuing a TGS. By requesting tickets encrypted with NTLM or RC4_HMAC, attackers can perform high-speed offline brute-forcing against the account password.

Question 3

What are the main components of the Kerberos protocol?

Answer 3

Kerberos uses a Key Distribution Center (KDC) consisting of the Authentication Service (AS) for TGT issuance and the Ticket Granting Service (TGS) for service ticket issuance. It relies on a trusted third-party model to authenticate clients to servers.

Question 4

What are the best practices for defending against Kerberoasting?

Answer 4

Key defenses include using Group Managed Service Accounts (gMSAs) for uncrackable passwords, creating ‘Honey-SPNs’ to trigger alerts upon access, and monitoring Event ID 4769 for unusual ticket requests or weak RC4 encryption.

Question 5

How can Red Teams benefit from DNS rebinding attacks?

Answer 5

DNS rebinding bypasses the Same-Origin Policy (SOP) by flipping a DNS record from an attacker IP to an internal IP (like 127.0.0.1). This allows a victim’s browser to be used as a proxy to attack internal, unauthenticated APIs like Jenkins or Docker.