What is Kerberos protocol?

  • Home
  • What is Kerberos protocol?

What is Kerberos protocol?

Kerberos authentication protocol uses tickets for verifying the identities and thereby enabling trusted communication in a network. It facilitates mutual authentication where the user and the server verifies each other's identity.

This protocol is built on symmetric key cryptography and requires a trusted third party. It may also use the public-key cryptography to intensify the authentication process during certain phases. By default, Kerberos uses UDP port 88.

Fun fact:Did you know that the name was taken from the Greek mythology? Kerberos (Cerberus) was believed to be a ferocious three-headed dog that guards the gates of Hades.

What is Kerberoasting?

Kerbaroasting is an attack method that allows an attacker to take advantage of how service accounts leverage Kerberos authentication with Service Principle Names (SPN). It allows the attacker to crack the passwords of the service accounts in Active Directory. Cracking the password is often done offline to avoid being detected. While the attacker doesn't exploit any security loophole, all that is being done is using the working of the protocol to get into the network and persist.

How does it work?

Step 1: The first step involves scanning the Active Directory for user accounts with SPN values set and AdminCount =1. This is done using several techniques such as PowerShell and LDAP queries, using the default scripts in Kerberoast toolkit, or using PowerSploit.

Step 2: After listing down the targeted accounts, request service tickets from AD using the SPN values.

Step 3: Extract the service tickets and hashes to the memory using tools like Mimikatz and save the information to a file.

Step 4: Brute force the encrypted passwords to obtain the actual clear text.

Step 5: Using the user accounts with privileges, move laterally or cause destruction.

Note: It's easy to crack service accounts as their passwords rarely change. Moreover, since the cracking happens offline, it'll not cause any domain traffic or account lockouts. Hence, it is undetectable.

What makes Kerberoasting dangerous?

  • The number of legitimate requests will be high, making it difficult to identify the anomalous ones.
  • SPN can be set for another target account and the credentials for those account can be obtained, making the process complicated and multi-layered.
  • There is no way to track whether the login for the machine is done immediately or not, though the ticket is requested. This buys the attacker time to crack the password offline.

How to mitigate the threat?

  • Ensure that the service accounts that use Kerberos with SPN values hold complex password. Updating the password regularly can help to reduce the threat.
  • Group managed service accounts can be used to enforce random, complex passwords that can be automatically rotated and managed centrally within the Active Directory.
  • Monitoring abnormal account usage can help in identifying on-going attacks.
  • Watch out for abnormal spikes in the service ticket requests.

ManageEngine Log360, a comprehensive SIEM solution helps you to detect and contain kerberoasting and other AD-based attacks. The solution's real-time correlation engine comes with the predefined rules that are drafted based on the indicators of compromise (IoCs) of these attack. Upon attack detection, Log360 notifies you in real-time, automates the remediation workflow and can also raise this attack as an incident ticket in your central help desk control to ensure accountability in resolution. That's not all. Explore more about Log360 here.

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!


Cyber Security - Knowledge Base


  Zoho Corporation Pvt. Ltd. All rights reserved.