Exam 312-50v13 topic 1 question 137 discussion

A Kerberoasting attack is a technique that exploits the Kerberos authentication protocol to obtain the password hash of a service account that has a Service Principal Name (SPN). An attacker can request a service ticket (TGS) for the SPN using a valid user's ticket (TGT) and then attempt to crack the password hash offline. To prevent the attacker from using the TGS to access the service, the system administrator should invalidate the TGS as soon as possible. This can be done by changing the password of the service account, which will generate a new password hash and render the old TGS useless. Alternatively, the system administrator can use tools like Mimikatz to purge the TGS from the memory of the domain controller or the client system.

Correct is C: o As the attacker already extracted TGS ticket from memory, the attack continues as follows: 1. Perform Offline Brute-Force on the Ticket • Since the TGS ticket is encrypted with the service account’s NTLM hash, the attacker cracks it offline using Hashcat or John the Ripper. 2. Obtain the Service Account’s Cleartext Password • Once cracked, the attacker can authenticate as the service account, potentially escalating to domain admin. o So the password of service account (which are usually targets of this attack) is the main goal of the attacker. o We need to change NTLM password (i. e. account password... which also changes the NTLM hash as it is derived from the password) to avoid attacker accessing the service account with password from the cracked NTLM hash, which he/she already has.

A Kerberoasting attack involves an attacker obtaining a Ticket Granting Service (TGS) ticket from memory and attempting to crack it offline to extract the service account’s password hash. Since the attacker was stopped before completing the attack, the immediate remediation step should focus on preventing further exploitation.