KERBEROASTING – In the domain management environment, better known as Active Directory or Active Directory, there is a type of accounts that are specific to the execution of a service. Generally, these types of accounts enjoy excessive privileges and many times also belong to the group of “Domain Administrators” on domain controllers. To increase vulnerability, these accounts are rarely audited.
The name of this attack (Kerberoasting) was given by Tim Medin and the attack process was presented at DerbyCon 2014.
KERBEROASTING – Anatomy of an internal attack
When an attacker gains initial access via phishing email, USB attack, or some weak password, he can easily enumerate these types of accounts used to access services using the command “setspn -T DomainName -Q * / *”
SETSPN is a command line tool integrated since the Windows Server 2008 version. But it is the case that it can be downloaded from Microsoft and executed as an .exe file from any user in a domain environment. Here we run the SETSPN tool from a user named “usuario.vulnerable”.
As we can see, we proceed to enumerate the user “usuario.vulnerable” and we discover that he has basic permissions on the domain. “usuario.vulnerable” represents any careless user who allowed an external agent access to the internal network.
But when we run the SETSPN tool we can find a lot of revealing information:
What we are seeing here are the main service names (SPNs) in the forest to which the domain “notanseguro.com” belongs.
The last ticket needs a little more thorough look:
This ticket was created for the user “SVC-SERVICIOSQL” to have access to the server called
“SERVIDORSQL.notanseguro.com” through port 1433, which is the default port of the MSSQL service.
Attackers are generally more interested in accounts that have an “AdminCount” of 1 because these accounts are privileged accounts that are or were in some privileged domain group. I invite you to find more information about attacks using AdminCount of 1 in:
The ticket already mentioned makes us assume that at one point the user completed the Kerberos authentication process that we examined at the beginning and that a system administrator also configured this user with the necessary permissions to be able to have privileged access to this type of resources through port 1433 on the “SERVIDORSQL” server. The attack process requires that we request a Kerberos ticket, in this case a TGS ticket on behalf of the user “SVC-SERVICIOSQL” destined for the server “SERVIDORSQL”. Now, I imagine there are two questions hanging around:
How this authentication process called Kerberos is vulnerable? How can we complete this attack process?
Well, the answer to the first question is not that complicated, what happens is that the domain controller, in the process of generating the service ticket uses a type of encryption called RC4_HMAC_MD5, which uses the NTLM hash of the password of the user who requested access to the service, in this case the user requesting the service was “SVC-SERVICIOSQL”. This implies that, if we can acquire the ticket, we can manipulate it to decipher the password if we have access to the hash hidden in the ticket.
Answering the second question, the attack process involves several steps. The first thing is to request the ticket on behalf of the user “SVC-SERVICIOSQL”; When obtaining the ticket, it is saved in the computer’s memory, at that moment the ticket can be extracted, saved and processed, which implies giving a format that a brute force program can process to find the user’s password “SVC- SERVICIOSQL ”.
The good news is that this entire process is automated using PowerShell. Will Schroeder created a PowerShell script that allows this entire process to be executed, obtaining at the end of it an encryption ready to be executed in Hashcat allowing to obtain the user’s password. Let’s see…
As we can see, when executing the PowerShell script, we obtain the hash of “SVC-SERVICIOSQL”. Now it is very important to point out that attacks using PowerShell are tremendously difficult to detect by antivirus due to their versatility. We must remember that PowerShell is a native tool included in most versions of Windows operating systems. There are countless ways to execute these PowerShell scripts in the memory of the computer without touching the hard disk, which allows it not to be detected by antivirus; it is even possible to run PowerShell script in encrypted form.
Let’s see the same attack running in encrypted form …
Obtaining the same result and without being detected by antivirus:
Another way I mentioned, was that it is possible to execute the same type of attack on the computer memory without touching the disk:
Obtaining the same result again and without being detected by the antivirus.
It is very important to emphasize these processes because time and time again we see that companies are not paying enough attention to the new forms of attacks allowing the indiscriminate use of attacks using PowerShell.
At last, the ticket hash that includes the NTLM hash was obtained. Now, it is time to process it using Hashcat to get the user’s credential:
This brute force process is executed on the attacker’s computer. I wish you could pay a little attention to the code that was used to get the password “Pass1234 !!” which you can see at the end of the code.
In this case we use “-m 13100”, which for Hashcat means that we are processing a hash called “Kerberos 5 TGS-REP etype 23”.
In this way and at the end of the process the account belonging to the user “SQL SERVICIO” has been violated. Maybe at this point you are thinking that this is not a problem. The truth is a very serious problem for the company that has this type of configuration without the corresponding security mechanisms, because in this case “SVC-SERVICIOSQL” is part of the group of “Domain Administrators”:
Yes, you are seeing well, from a user with regular permission, users, groups, permissions, and endless data can be enumerated by making calls to the domain controller without any difficulty for the attacker. In this case, the attacker proceeded to enumerate the users in the Domain Administrators group, discovering that the newly compromised user was of high value, eventually allowing him access to the domain controller as a system administrator using PowerShell Remote:
Now, there is a serious problem.
How RedDefense Global can help me keep my domain free from internal vulnerabilities?
RedDefense Global has paid attention to the real situation of the domains. We understand that domain administrators often don’t have time to study and search for vulnerabilities as dangerous as this one because they are busy supporting employees, creating new users or replacing computers. If that is the case with your technology department, we invite you to contact us so that we can tell you about our NON-INVASIVE procedures. Our intention is to provide a real solution to internal vulnerabilities that antivirus cannot identify.
If you want to know more about our specialized services in the prevention of vulnerabilities in internal networks, we invite you to visit:
We are here to assess and increase the security of your technology environment.