Kerberos is an authentication protocol that uses tickets to provide strong authentication for client/server applications and became the default authentication method for Windows 2000 and later versions.
The Kerberos protocol uses either symmetric-key or public-key cryptography to provide secure communication with other services and applications on the network. However, as with any widely adopted authentication protocol, Kerberos has become a prime target for hackers, where the main goal is to extract service account credentials from Active Directory.
Attackers can use these credentials to obtain a “Golden Ticket”, which allows them to access any resources on the network. As you can imagine, Kerberoasting attacks are very dangerous – not to mention hard to detect.
Below is a more detailed explanation of how they work, and what you can do to protect yourself from them.
Extracting Service Account Passwords
Service accounts are non-human accounts that are used to run services or applications. Service accounts often have elevated privileges, their passwords are rarely (if ever) changed, and they are rarely monitored by security teams. This allows hackers to leverage a compromised service account for an extended period of time, thus making them an attractive target.
Each service instance has a unique identifier called a Service Principal Name (SPN), which also includes information about what the account is used for and its location. Any authenticated user can log in to an Active Directory domain and submit a request for a ticket-granting service (TGS) ticket for any service account by specifying its SPN value.
They can then extract the service account’s password hash and attempt a brute force attack to obtain the plaintext password, with little risk of being detected or locked out of their account.
How to Prevent the Extraction of Service Accounts
Firstly, you need to know exactly what service accounts you have. You will need to create an inventory of these accounts, and include information about why the accounts exist, who has access to them, and which services and applications they can access.
You should also include documentation about when they should be reviewed, deactivated, or deleted. You will need to ensure that service accounts are granted the least privileges they need to perform their role. As always, you will need to make sure that the default service account passwords are changed.
As mentioned previously, one of the main reasons why service accounts are an attractive target to hackers is because their passwords tend not to change. As such, you should use an automated password management solution to ensure that passwords are periodically rotated.
In order to minimize the damage that could be caused by a compromised service account, you should ensure that separate accounts are used for different services and users. Likewise, you should avoid using the same password for multiple service accounts. When a service account is no longer needed, it must be decommissioned as soon as possible.
To help with this, there are tools available that can automatically detect and manage inactive service accounts.
Finally, make sure that you monitor service accounts for suspicious activity, by using a sophisticated real-time auditing solution that uses machine learning to detect and respond to anomalous activity.
Golden Ticket Attacks
A Golden Ticket attack is where an adversary is able to compromise an Active Directory Key Distribution Service Account (KRBTGT) and use it to create a Kerberos Ticket Granting Ticket (TGT). Doing so will allow them to access any resource on an Active Directory Domain without sounding any alarms, hence why it is referred to as a “Golden Ticket”.
As with any Kerberoasting attack, the attacker must first gain access to a legitimate user account with elevated privileges, which has access to a Domain Controller (DC). To do this, the attacker will usually try to infect a privileged user’s computer with malware in order to extract credentials, often via phishing or by exploiting some other vulnerability.
They will then need to login to the Domain Controller and use a hacking application like Mimikatz to dump the password hash for the KRBTGT account. They can then load the Kerberos token into any session, which will give them access to any resources on the network.
How to Prevent Golden Ticket Attacks?
Since Golden Ticket Attacks are only possible if the attacker is able to gain access to a user account with elevated privileges, the obvious initial line of defense is to ensure that you are able to protect yourself from phishing attacks and other methods of infiltration.
A good starting point would be to ensure that all staff members are sufficiently trained to identify suspicious emails. They will need to check the sender’s address, check the domain of any embedded links before clicking on them, and they must never hand over their credentials to anyone.
As always, users should be granted the least privileges they need to adequately carry out their role, and Admin accounts should only be used when performing administrative duties.
As mentioned, Golden Ticket Attacks rely on Mimikatz to dump the password hash for the KRBTGT account. For detailed information about protecting yourself from Mimikatz-style attacks, please read the following article. In short, you will need to ensure that all operating systems are kept up-to-date, and you must disable the storage of plain text passwords in Active Directory.
Instead of relying on users to hand over their credentials, it’s possible that the attacker may try to brute-force their way in by repeatedly attempting different passwords on a privileged user account. In this case, you will need to use a real-time auditing solution that is capable of automatically responding to events that match a pre-defined threshold condition.
For example, if X number of failed login attempts have been detected within Y seconds, a custom script can be executed to stop the potential attack in its tracks. This might include disabling a user account, stopping a specific process, changing the firewall settings, or shutting down the affected server.
It is a good idea to change the password for the KRBTGT user on a regular basis. However, since both the current and previous password of the KRBTGT user are used by the Key Distribution Center (KDC) to validate Kerberos tickets, the password must be changed twice, approximately 12-24 hours apart to prevent potential service disruptions.
Other signs you can look out for that might indicate that an attacker has obtained a Golden Ticket include; usernames that don’t exist, username and RID mismatches, modified group memberships, weaker-than-normal encryption types, and ticket lifetimes exceeding the domain maximum.
Most threats to sensitive data start with Active Directory. Using an Active Directory auditing and security solution like Lepide Data Security Platform can help give you the visibility you need to detect and respond to these threats before they escalate. Schedule a demo with one of our engineers today or start a free trial today to see how Lepide can help your business.