Kerberoasting and Evil Passwords – The Dark Side of an Active Directory

Written By Aakash Kumar

Imagine a world where you have to remember passwords for every website and network you want to use. You’d be constantly typing in your passwords, making it easy for others to access your sensitive information. Even with passwords, there exist vulnerabilities, such as Kerberoasting, a hacking technique that exploits flaws in the Kerberos authentication system to extract password hashes and access sensitive data.

In Greek mythology, Kerberos was named after the three-headed dog who guarded the underworld gates. The Kerberos protocol, like the mythical creature, helps secure the gates of a computer network, protecting it from unauthorized access. This protocol relies on a trusted third party, the Key Distribution Center (KDC), to validate user and device identities and provide secure access to network resources. Kerberos is like a secret assistant who protects your passwords and ensures that only you and the websites you want to access can use them. It’s like having your own personal bouncer for your online information, ensuring that only you and your trusted members can access it.

In this blog, we’ll look at how Kerberos works, the key features that make it so secure, and how it is a valuable tool for protecting computer networks.

What is Kerberos?

The Kerberos network authentication protocol is designed to authenticate users to network services securely. It employs a trusted third party, a Key Distribution Centre (KDC), which issues tickets encrypted with the password hash of the user’s account.

Understanding Kerberoasting: A Threat to Active Directory

Kerberoasting is a post-exploitation attack that extracts service account credential hashes from Active Directory. An attacker can potentially gain unauthorized access to the system by using these hashes to crack the user’s password. The attack is mostly successful due to the use of weak passwords.

Most service account passwords have the same minimum password length requirement for the domain (10 or 12 characters), which makes them vulnerable. Since a majority of the service accounts don’t have password expiration settings, it’s likely that the same password will be valid for months or even years. Moreover, service accounts are often not created with the principle of least privilege in mind. They are usually members of the Domain Admins group, providing the Active Directory with complete administrative capabilities (even if the service account only requires modifying an attribute on specific object types or performing administrative tasks).

How Does Kerberos Work?

  • To request (AS-REQ) the TGT, the user logs into the Active Directory, using a username and password. The password is converted to an NTLM hash and sent to the Domain Controller (KDC). The Domain Controller (KDC) generates ticket-granting tickets (TGT) after it verifies user credentials. The encrypted TGT is then delivered to the user (AS-REP).
  • When requesting (TGS-REQ) a Ticket Granting Service (TGS) ticket, the user provides the TGT to the DC. The DC validates the TGT and creates a TGS ticket. The TGS is encrypted with the target service account’s NTLM password hash and sent to the user (TGS-REP).
  • The user provides (AP-REQ) the TGS and establishes a connection with the server running the service on the relevant port. The service uses the NTLM password hash to open the TGS ticket.

Where is the Flaw?

The service account’s weak password is the cause of the vulnerability. As previously stated, the target service’s password hash encrypts the ticket, and any user in the AD can request this ticket from the KDC and crack it offline. If strong password policies are not implemented, a weakly used password can be compromised, leading to unauthorized access.

A user or machine account is the two types of account that can be connected to an SPN. A machine account password (128-character password) is generated randomly and theoretically impossible to crack. Whereas the security of a user account password depends on the administrator who set it.

How To Mitigate Kerberoasting?

Ensure that the passwords for all service accounts (user accounts with Service Principal Names) are long, difficult, and at least 25 characters long. This makes it more difficult to crack these passwords.

Use group-managed service accounts, managed automatically by Active Directory, and have random, complex passwords (>100 characters).

The emphasis should be ensuring that Service Accounts with privileged AD permissions have even more complex passwords.

Use Group Policy to enable logging to Kerberos TGS requests. Go to “Account Logon,” enable “Audit Kerberos Service Ticket Operations,” and search for users with excessive TGS requests. This event will trigger dozens of times per day for each user. Although, encountering false positives will be a trade-off.

How to Stay Secure with Accorian?

We at Accorian provide full-fledged services to test and evaluate the security posture of your network with a targeted attack against Active Directory in the form of red team assessments. Reach out to us for a more in-depth discussion.

Accorian offers comprehensive services to evaluate the security of your Active Directory configuration. We are committed to assisting clients in identifying potential vulnerabilities and ensuring the overall security of their network through our team of penetration testing experts.

Contact us for a thorough evaluation of your Active Directory security posture. Allow us to assist you in safeguarding your valuable assets and data against potential security threats.

WHY HIRE A CREST ACCREDITED PENETRATION TESTING (PEN TESTING) FIRM?

“An ounce of prevention is worth a pound of cure” – a famous quote by Benjamin Franklin that perfectly captures cybersecurity’s importance in today’s digital world. This is especially true for companies that must safeguard their sensitive data and systems from ever-increasing cyber threats and attacks. Therefore, companies must conduct penetration testing to enhance their security with a CREST Accredited partner.

What is CREST?

CREST is a not-for-profit accreditation and certification body representing the technical information security industry. The CREST Codes of Conduct contain the basic principles that underpin good business practice and ethics, which are all-pervasive. They describe the standards of practice expected of Member Companies and their Consultants and must be observed in parallel with the Code of Ethics.

Why Should You Choose a CREST Accredited Partner?

Accorian recently acquired its CREST accreditation, and here is what Rowland Johnson, President CREST, had to say, “Accreditation of Accorian is a strong endorsement of its penetration testing team and commitment to robust business processes, data security and testing methodologies,” said Rowland Johnson, President of CREST. “It also reflects the growing influence of CREST across the Americas and the growing demand for highly skilled penetration testing services from trusted providers that can demonstrate internationally recognized, independent validation.”

Choosing a CREST approved partner instils confidence and trust that the chosen penetration testing service provider has undergone rigorous controls to receive accreditation and has access to industry-leading resources and events to ensure their knowledge is always up to date. By choosing a CREST accredited partner, you can rest assured that the provider has the necessary skills and methodologies to conduct a thorough and accurate assessment of your cybersecurity strategy.

Furthermore, CREST recognition indicates they adhere to best practices in all aspects of the testing process, including assignment execution, preparation, scoping, data protection, and post-technical delivery. They also sign up for a binding company code of conduct, which includes procedures for handling complaints.

Importance of Choosing a CREST Approved Partner

Choosing a CREST Accredited penetration testing services provider gives you reassurance that:

 

What are the Benefits of a CREST Accredited Penetration Testing Service Provider?

ACCESS TO HIGHLY SKILLED PROFESSIONALS

A CREST-certified pen tester must undergo rigorous exams to demonstrate their expertise and competence, ensuring their knowledge is of the highest caliber. To become CREST certified, they must have 6000-10,000 hours of regular and professional experience. While it may seem impossible for an individual to achieve this feat, there is no doubt that a CREST-certified partner will have access to a pool of highly qualified pen testers to conduct your business assessment.

ENHANCES CUSTOMER ASSURANCE

Consumers frequently inquire about the security of their data. With growing data security concerns, businesses must regulate industry standards and protect their consumer’s data. Partnering with a CREST-accredited company ensures that your business follows the best security practices.

GLOBALLY ACCREDITED

CREST Accreditation is a certification that is internationally recognized. Having partnered with a CREST approved company for your pen testing services ensures that your business is certified and credible regarding information security.

ALIGNED WITH SHIFTING PARADIGMS

Bruce Schneier, a security expert, stated, “Security is an ever-changing and evolving landscape that necessitates constant attention and adaptation.” Therefore, it is critical to partner with a CREST-approved pen testing firm that stays updated with advanced developments in technical information assurance to ensure that your business stays relevant and adapts quickly to changing times.

REGULAR PEN TESTER v/s CREST ACCREDITED PEN TESTER

PARTNER WITH ACCORIAN FOR YOUR PENETRATION TESTING SERVICES

Accorian is an established cybersecurity advisory firm with a global clientele that assists businesses of all sizes in improving their cybersecurity posture through their compliance readiness, audit and penetration testing services, along with meeting long & short-term staffing needs. Our team comprises cybersecurity and IT industry veterans who have held leadership and CXO roles at large global enterprises.

Our penetration testers are certified and experienced in conducting penetration tests across a client’s entire tech stack, including on-prem and cloud environments. Additionally, they excel at conducting red team assessments, which involve skilled adversary simulation tests. The team has combined experience working with 500+ clients on 1200+ penetration tests and detecting 25000+ vulnerabilities. We have built our time-tested and proven penetration testing methodology using OSSTMM, OWASP, NIST, and PTES standards.

Penetration Testing Anecdote Series

Authentication bypass due to weak verification of SAML Token

What is authentication bypass in web applications?

The web application vulnerability – authentication bypass occurs when there is improper validation of the user’s identity on the server-side.

Generally, a successful authentication bypass requires the attacker to have knowledge of either the username/email ID unlike the case of SQL injection where the attacker can attempt to log into the application using any user.

What is SAML?

SAML (Security Assertion Markup Language) is a standard for authenticating and authorizing users across multiple applications by leveraging the logged-in session of one application.

In simple words, you log into a dashboard where you see multiple applications like Salesforce, AWS, Slack, ADP, etc. and when you click on any one of the icons, you would directly get signed into that application.

Unlike other tokens, the SAML token is XML-based for transferring identity between two parties.

So, who are these two parties? 1. Identity Provider (IdP) 2. Service Provider (SP). IdP is responsible to authenticate the user and subsequently sending the token to the service provider and SP trusts the identity provider and authorizes/authenticates the user to access the requested application.

Some applications implement SAML for the clients to authenticate themselves and use the application. So, the question is what kind of verification is done by the SP in the back-end? Is it possible to modify the token and login to the application as another user?

In this blog, we’ll walk you through an authentication bypass mechanism that allowed us to log into the application as any user with just the knowledge of the username. This can be achieved due to insecure logic & validation implemented at the backend.

Understanding the authentication process

The application uses Okta which is an identity platform that offers authentication and authorization services for the application. Let’s say the target domain is testproduct.com. After hitting this domain, we get redirected to the Okta login page with a domain like testcorp.oktapreview.com which looks like the below screenshot.

Using valid credentials, we log into the Okta dashboard. In My Apps, we see all the applications for whom we could obtain direct access without re-entering the credentials.

Let’s assume our app testcorp.com is included in it. After clicking our app, we directly get signed into it.

We now attempt to understand the process of how we got logged into testproduct.com from testcorp.oktapreview.com.

By setting up an interception proxy – Burp suite, we observe a request where testcorp.com receives a  SAML token with the parameter name SAML Response.

Bypass #1: Pre-remediation

The next request was responsible to authenticate the user, or in other words, activating the user’s session.

By changing the username value from 252233 to 252234, we were able to log into the application as a different user. We confirmed this by entering random number which gave us an error indicating that the user was invalid. Thus, confirming that username we used earlier was indeed valid.

By trying different values for the username parameter and repeating the above steps, we were able to log into the application as an administrator user.

Test Corp went ahead and implemented a fix to remediate the above vulnerability.

Bypass #2 : Post application of the first fix

Test Corp leveraged an encryption mechanism which prevented us changing the username value as the parameter was not unguessable.

We started looking at the different ways to decrypt the parameter through recon. We also wrote multiple scripts, but they weren’t successful in recreating the original value.

After many failed attempts we were curious to understand how the application knew which username parameter & value to encrypt, as we didn’t see any username being transmitted in the request via plaintext.

There was still a puzzle associated to the SAML token as we hadn’t looked at understanding it.

By using URL Decode then Base64 decode, we obtained decoded XML data containing the username 2522334.

The response had the encrypted username. Hence, sending a request by changing the username in the SAML token and encoding it back to its original format, resulted in a different encrypted username which caught our eye. So, we used this new username in the subsequent request with URL encoding which successfully logged us in.

So, the application was accepting the username from the SAML token & it then encrypted it. Subsequently, it was being sent in the request where the activation occurred.

Conclusion

Our understanding of the application led to the conclusion that rather than validating the token, the application extracted the username and verified whether it exists in their database or, not. This allowed an attacker to authenticate as any user, with a valid username.

Posted by:

Raunak Parmar

Senior Security Engineer at Accorian

 

How do you prepare for a Penetration test?

A penetration test (Pen Test) is one of the best ways a company can test their IT assets for vulnerabilities that a hacker could exploit to access sensitive data (customer, internal IP, passwords, etc.). Many internal IT teams assume that a pen test is a time-consuming nightmare, but, with the right communication and preparation, a pen-test is an effortless, vital, and valuable procedure for any business.

Penetration tests are simulated cyberattacks against an IT system by security professionals to find exploitable vulnerabilities a hacker would use to infiltrate an organization. Finding these vulnerabilities allows you to address the gaps in your network defense and enhance your overall security posture. Additionally, it provides you with an opportunity to assess your active protection systems, incident response, and on-going security monitoring.

Why does a company need a penetration test?

  • To detect and remediate vulnerabilities before an adversary exploits them
  • Upper management may want a better understanding of their current security posture
  • It may be a regulatory requirement of the industry, or a legal requirement to do business with another company
  • Data protection increases customer confidence

Who will be involved in the Pen test?

  1. Management and authorized technical leaders of the company.
  2. The internal IT teams.
  3. The external penetration testing company.

Ask these questions before you start the Pen Test

Our experience testing over 1000+ application and 500+ networks. Based on their experience, they recommend asking and discussing the questions below. The details should be agreed upon by your team and the penetration testing team before commencing the tests.

  1. Will the test include DoS, DDoS or Brute forcing?
  2. How will the security team perform the intrusive test?
  3. Will the test team exploit vulnerabilities they find or just identify them?
  4. How long will it take to perform the pen test?
  5. What will be included in the report? If possible, ask for drafts or interim reports for longer engagements.
  6. Will there be regular meetings to discuss test progress and concerns?
  7. Will they provide an escalation matrix for both teams?
  8. When will they notify all stakeholders regarding the test and get necessary approvals?
  9. Will there be legal documentation between stakeholders and test team?

How should you prepare for the Pen Test?

If you plan to run a penetration test on your IT system, it’s important that you, your IT team, and staff prepare for it. It’s possible to prepare for a pen test in a few hours, but it helps if you know what to do. Here are 6 ways your company can prepare for a Pen test –

  1. Identify and communicate your scope and objectives with the security professionals conducting your pen test
    Prepare an inventory of your technology assets and assign values to each based on business impact. This will help you to identify and prioritize the assets that should be tested. It would be ideal to discuss the scope with the penetration testing company and/or compliance teams.Spend time with the IT team and security testing company and create a concise and realistic project description with objectives and expectations. For example, do you want to test your company’s ability to detect intrusion attempts? Or see how well your IT team responds to a possible breach? Make these goals clear to the IT Team and penetration testing company.
  2. Decide on the best time to conduct the test
    Pen testing is a time-sensitive process and can take longer thank expected if issues arise. It’s best to run this test during a time of low business activity. Depending on the business, weekends might be ideal to perform this exercise.
  3. Backup your data 
    Your IT team should make a backup of all configurations, data, and codes before the test begins. It’s possible that the pen test may cause a system to crash or data to be lost. If this happens, the data can be restored to pre-test configurations. Your internal IT or support team should be readily available to resolve technical issues with the testing company during the testing phase.
  4. Ensure that your internal IT team is available
    Your internal IT team or support team should be readily available to resolve technical issues with the asset during the testing phase.
  5. Explain what you want to see in the report
    • Do you want to see an Executive summary that describes the work done in a way that management can understand and act on?
    • Do you require mapping of the findings to a regulatory, or compliance standard like PCIDSS, HIPAA, HITRUST, etc.?
    • Do you want to see a detailed record of the findings of the test?
    • Would you like any specific metrics to be included in the final risk rating of the findings?
  6. Mitigating common vulnerabilities
    Security is an ongoing process, so it is helpful to mitigate common vulnerabilities before you go ahead with the test to ensure optimal results. More than 67% of detected vulnerabilities are common and can be mitigated through basic security measures.
    • Applying missing patches
    • Restrict access to management or administrative interfaces
    • Disable insecure encryption standards and ciphers
    • Decommission obsolete software, services, and systems
    • Ensure password strength is maintained across all assets (network and application)
    • Validate all inputs on the server side

What is included in the Pen Test report?

A detailed report that includes:

  • The goals and scope of the penetration test
  • The methodology used by the security company
  • The timeline of the penetration test.
  • Detailed list of vulnerabilities, risk ratings, and evidence
  • Recommendations to improve overall security

Penetration testing is not a one-time activity. In 2018, there were 16,412 common vulnerabilities and exploits released, which is why penetration testing and vulnerability assessments need to be an ongoing process as most attackers leverage known exploits and vulnerabilities to attack organizations. It is important to ensure that penetration testing is a part of the development cycle and at a minimum be carried out before every major release if not biannually.

Accorian is a full-service cybersecurity partner. We can help protect your data, monitor your networks, conduct penetration tests and provide anti-phishing training for your employees. We have extensive experience in conducting penetration tests & vulnerability scanning for all applications (Web & Mobile), APIs, networks, and social engineering assessments.

Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

© 2023 Accorian. All Rights Reserved.

    Ready to Start?

    Download Case study

    Download SOC2 Guide

    Human Resources Director

    Posted On: 09 May, 2022

    Drop your CVs to joinourteam@accorian.com

      Interested Position
      First Name
      Last Name
      Email
      Total Experience
      Mobile Number
      Upload Resume