CAPEC-652
Use of Known Kerberos Credentials
MEDIUM
HIGH
Draft
2020-07-30 00:00 +00:00
2022-09-29 00:00 +00:00
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Description
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
Informations
Execution Flow
1) Explore
[Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.
Technique
- An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.
- An adversary guesses the credentials to a weak Kerberos service account.
- An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.
- An adversary conducts a Kerberoasting attack.
2) Experiment
[Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access.
Technique
- Manually or automatically enter each Kerberos service account credential through the target's interface.
- Attempt a Pass the Ticket attack.
3) Exploit
[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
4) Exploit
[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
5) Exploit
[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
Prerequisites
The system/application leverages Kerberos authentication.The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.
The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.
The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.
The targeted network allows for network sniffing attacks to succeed.
Skills Required
Once an adversary obtains a known Kerberos credential, leveraging it is trivial.Resources Required
A valid Kerberos ticket or a known Kerberos service account credential.Mitigations
Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.
Do not reuse Kerberos service account credentials across systems.
Deny remote use of Kerberos service account credentials to log into domain systems.
Do not allow Kerberos service accounts to be a local administrator on more than one system.
Enable at least AES Kerberos encryption for tickets.
Monitor system and domain logs for abnormal credential access.
Faiblesses connexes
| Nom de la faiblesse | |
|---|---|
| Insufficiently Protected Credentials The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
|
| Improper Restriction of Excessive Authentication Attempts The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks. |
|
| Use of Single-factor Authentication The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. |
|
| Use of Password System for Primary Authentication The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. |
|
| Not Using Password Aging The product does not have a mechanism in place for managing password aging. |
|
| Password Aging with Long Expiration The product supports password aging, but the expiration period is too long. |
|
| Reliance on a Single Factor in a Security Decision A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. |
|
| Authentication Bypass by Capture-replay A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
|
| Use of Password Hash Instead of Password for Authentication The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. |
References
REF-584
BRONZE BUTLER Targets Japanese Enterpriseshttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
REF-585
Kerberoasting Without Mimikatzhttps://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
REF-586
Invoke-Kerberoasthttps://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
Submission
| Name | Organization | Date | Date Release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Description, Notes, Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Extended_Description | |
| CAPEC Content Team | The MITRE Corporation | Updated Extended_Description, Prerequisites |
2024©
tesweb SA
