Article
Kerberoasting and Evil Passwords - The Dark Side of an Active Directory
Written By Aakash Kumar Imagine a world where you have to remember passwords for every website and network you want to use. You'd be constantly typing in your passwords, making it easy for others to access your sensitive information. Even with passwords, there exist vulnerabilities, such as Kerberoasting, a hacking technique that exploits flaws in the Kerberos authentication system to extract password hashes and access sensitive data. In Greek mythology, Kerberos was named after the three-headed dog who guarded the underworld gates. The Kerberos protocol, like the mythical creature, helps secure the gates of a computer network, protecting it from unauthorized access. This protocol relies on a trusted third party, the Key Distribution Center (KDC), to validate user and device identities and provide secure access to network resources. Kerberos is like a secret assistant who protects your passwords and ensures that only you and the websites you want to access can use them. It's like having your own personal bouncer for your online information, ensuring that only you and your trusted members can access it. In this blog, we'll look at how Kerberos works, the key features that make it so secure, and how it is a valuable tool for protecting computer networks. What is Kerberos? The Kerberos network authentication protocol is designed to authenticate users to network services securely. It employs a trusted third party, a Key Distribution Centre (KDC), which issues tickets encrypted with the password hash of the user's account. Understanding Kerberoasting: A Threat to Active Directory Kerberoasting is a post-exploitation attack that extracts service account credential hashes from Active Directory. An attacker can potentially gain unauthorized access to the system by using these hashes to crack the user's password. The attack is mostly successful due to the use of weak passwords. Most service account passwords have the same minimum password length requirement for the domain (10 or 12 characters), which makes them vulnerable. Since a majority of the service accounts don't have password expiration settings, it's likely that the same password will be valid for months or even years. Moreover, service accounts are often not created with the principle of least privilege in mind. They are usually members of the Domain Admins group, providing the Active Directory with complete administrative capabilities (even if the service account only requires modifying an attribute on specific object types or performing administrative tasks). How Does Kerberos Work? To request (AS-REQ) the TGT, the user logs into the Active Directory, using a username and password. The password is converted to an NTLM hash and sent to the Domain Controller (KDC). The Domain Controller (KDC) generates ticket-granting tickets (TGT) after it verifies user credentials. The encrypted TGT is then delivered to the user (AS-REP). When requesting (TGS-REQ) a Ticket Granting Service (TGS) ticket, the user provides the TGT to the DC. The DC validates the TGT and creates a TGS ticket. The TGS is encrypted with the target service account's NTLM password hash and sent to the user (TGS-REP). The user provides (AP-REQ) the TGS and establishes a connection with the server running the service on the relevant port. The service uses the NTLM password hash to open the TGS ticket. Where is the Flaw? The service account's weak password is the cause of the vulnerability. As previously stated, the target service's password hash encrypts the ticket, and any user in the AD can request this ticket from the KDC and crack it offline. If strong password policies are not implemented, a weakly used password can be compromised, leading to unauthorized access. A user or machine account is the two types of...
View More