Which of the following attacks requires this information as a prerequisite to proceed?

During a penetration test, a tester captures information about an SPN account.

Which of the following attacks requires this information as a prerequisite to proceed?
A . Golden Ticket
B . Kerberoasting
C . DCShadow
D . LSASS dumping

View Answer

Answer: B

Explanation:

Kerberoasting is an attack that specifically targets Service Principal Name (SPN) accounts in a

Windows Active Directory environment.

Here’s a detailed explanation:

Understanding SPN Accounts:

SPNs are unique identifiers for services in a network that allows Kerberos to authenticate service accounts. These accounts are often associated with services such as SQL Server, IIS, etc. Kerberoasting Attack:

Prerequisite: Knowledge of the SPN account.

Process: An attacker requests a service ticket for the SPN account using the Kerberos protocol. The ticket is encrypted with the service account’s NTLM hash. The attacker captures this ticket and attempts to crack the hash offline.

Objective: To obtain the plaintext password of the service account, which can then be used for lateral

movement or privilege escalation.

Comparison with Other Attacks:

Golden Ticket: Involves forging Kerberos TGTs using the KRBTGT account hash, requiring domain admin credentials.

DCShadow: Involves manipulating Active Directory data by impersonating a domain controller, typically requiring high privileges.

LSASS Dumping: Involves extracting credentials from the LSASS process on a Windows machine, often requiring local admin privileges.

Kerberoasting specifically requires the SPN account information to proceed, making it the correct answer.