Articles & Blogs
Kerberoasting and Evil Passwords – The Dark Side of an Active Directory
Written By Aakash Kumar II
Imagine a world where you have to remember passwords for every website and network you want to use. You’d be constantly typing in your passwords, making it easy for others to access your sensitive information. Even with passwords, there exist vulnerabilities, such as Kerberoasting, a hacking technique that exploits flaws in the Kerberos authentication system to extract password hashes and access sensitive data.
In Greek mythology, Kerberos was named after the three-headed dog who guarded the underworld gates. The Kerberos protocol, like the mythical creature, helps secure the gates of a computer network, protecting it from unauthorized access. This protocol relies on a trusted third party, the Key Distribution Center (KDC), to validate user and device identities and provide secure access to network resources. Kerberos is like a secret assistant who protects your passwords and ensures that only you and the websites you want to access can use them. It’s like having your own personal bouncer for your online information, ensuring that only you and your trusted members can access it.
In this blog, we’ll look at how Kerberos works, the key features that make it so secure, and how it is a valuable tool for protecting computer networks.
What is Kerberos?
The Kerberos network authentication protocol is designed to authenticate users to network services securely. It employs a trusted third party, a Key Distribution Centre (KDC), which issues tickets encrypted with the password hash of the user’s account.
Understanding Kerberoasting: A Threat to Active Directory
Kerberoasting is a post-exploitation attack that extracts service account credential hashes from Active Directory. An attacker can potentially gain unauthorized access to the system by using these hashes to crack the user’s password. The attack is mostly successful due to the use of weak passwords.
Most service account passwords have the same minimum password length requirement for the domain (10 or 12 characters), which makes them vulnerable. Since a majority of the service accounts don’t have password expiration settings, it’s likely that the same password will be valid for months or even years. Moreover, service accounts are often not created with the principle of least privilege in mind. They are usually members of the Domain Admins group, providing the Active Directory with complete administrative capabilities (even if the service account only requires modifying an attribute on specific object types or performing administrative tasks).
How Does Kerberos Work?
- To request (AS-REQ) the TGT, the user logs into the Active Directory, using a username and password. The password is converted to an NTLM hash and sent to the Domain Controller (KDC). The Domain Controller (KDC) generates ticket-granting tickets (TGT) after it verifies user credentials. The encrypted TGT is then delivered to the user (AS-REP).
- When requesting (TGS-REQ) a Ticket Granting Service (TGS) ticket, the user provides the TGT to the DC. The DC validates the TGT and creates a TGS ticket. The TGS is encrypted with the target service account’s NTLM password hash and sent to the user (TGS-REP).
- The user provides (AP-REQ) the TGS and establishes a connection with the server running the service on the relevant port. The service uses the NTLM password hash to open the TGS ticket.
Where is the Flaw?
The service account’s weak password is the cause of the vulnerability. As previously stated, the target service’s password hash encrypts the ticket, and any user in the AD can request this ticket from the KDC and crack it offline. If strong password policies are not implemented, a weakly used password can be compromised, leading to unauthorized access.
A user or machine account is the two types of account that can be connected to an SPN. A machine account password (128-character password) is generated randomly and theoretically impossible to crack. Whereas the security of a user account password depends on the administrator who set it.
How To Mitigate Kerberoasting?
Ensure that the passwords for all service accounts (user accounts with Service Principal Names) are long, difficult, and at least 25 characters long. This makes it more difficult to crack these passwords.
Use group-managed service accounts, managed automatically by Active Directory, and have random, complex passwords (>100 characters).
The emphasis should be ensuring that Service Accounts with privileged AD permissions have even more complex passwords.
Use Group Policy to enable logging to Kerberos TGS requests. Go to “Account Logon,” enable “Audit Kerberos Service Ticket Operations,” and search for users with excessive TGS requests. This event will trigger dozens of times per day for each user. Although, encountering false positives will be a trade-off.
How to Stay Secure with Accorian?
We at Accorian provide full-fledged services to test and evaluate the security posture of your network with a targeted attack against Active Directory in the form of red team assessments. Reach out to us for a more in-depth discussion.
Accorian offers comprehensive services to evaluate the security of your Active Directory configuration. We are committed to assisting clients in identifying potential vulnerabilities and ensuring the overall security of their network through our team of penetration testing experts.
Contact us for a thorough evaluation of your Active Directory security posture. Allow us to assist you in safeguarding your valuable assets and data against potential security threats.