English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CAPEC-509

Kerberoasting
HIGH
Stable
2019-04-04 00:00 +00:00
2020-12-17 00:00 +00:00
CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

Informations

Execution Flow

1) Explore

Scan for user accounts with set SPN values

Technique
  • These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.

2) Explore

Request service tickets

Technique
  • Using user account's SPN value, request other service tickets from Active Directory

3) Experiment

Extract ticket and save to disk

Technique
  • Certain tools like Mimikatz can extract local tickets and save them to memory/disk.

4) Exploit

Crack the encrypted ticket to harvest plain text credentials

Technique
  • Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.

Prerequisites

The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.
The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).
The adversary requires a brute force tool.

Skills Required

(Level : Medium)

Mitigations

Monitor system and domain logs for abnormal access.
Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.
Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.

Related Weaknesses

CWE-ID Weakness Name
CWE-522 Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-308 Use of Single-factor Authentication
The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
CWE-309 Use of Password System for Primary Authentication
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
CWE-294 Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CWE-263 Password Aging with Long Expiration
The product supports password aging, but the expiration period is too long.
CWE-262 Not Using Password Aging
The product does not have a mechanism in place for managing password aging.
CWE-521 Weak Password Requirements
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

References

REF-559

Extracting Service Account Passwords with Kerberoasting
Jeff Warren.
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/

REF-585

Kerberoasting Without Mimikatz
https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

REF-586

Invoke-Kerberoast
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated @Status, Example_Instances, References, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Execution_Flow

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.