adsecurity.org
Open in
urlscan Pro
2607:f1c0:100f:f000::2af
Public Scan
URL:
https://adsecurity.org/?p=3458
Submission: On November 19 via api from SA — Scanned from CA
Submission: On November 19 via api from SA — Scanned from CA
Form analysis
2 forms found in the DOMGET https://adsecurity.org
<form class="searchform" method="get" action="https://adsecurity.org">
<div class="input-group">
<div class="form-group live-search-input">
<label for="s" class="screen-reader-text">Search for:</label>
<input type="text" id="s" name="s" class="form-control" placeholder="Search">
</div>
<span class="input-group-btn">
<button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button>
</span>
</div>
</form>
GET https://adsecurity.org
<form class="searchform" method="get" action="https://adsecurity.org">
<div class="input-group">
<div class="form-group live-search-input">
<label for="s" class="screen-reader-text">Search for:</label>
<input type="text" id="s" name="s" class="form-control" placeholder="Search">
</div>
<span class="input-group-btn">
<button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button>
</span>
</div>
</form>
Text Content
* Toggle search form Search for: Toggle navigation Active Directory Security Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia… * Home * About * AD Resources * Attack Defense & Detection * Contact * Mimikatz * Presentations * Schema Versions * Security Resources * SPNs * Top Posts Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot Feb 05 2017 DETECTING KERBEROASTING ACTIVITY * By Sean Metcalf in ActiveDirectorySecurity, Hacking, Microsoft Security, Technical Reference Introduction Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length as the domain password minimum (often 10 or 12 characters long) meaning that even brute force cracking doesn’t likely take longer than the password maximum password age (expiration). Most service accounts don’t have passwords set to expire, so it’s likely the same password will be in effect for months if not years. Furthermore, most service accounts are over-permissioned and are often members of Domain Admins providing full admin rights to Active Directory (even when the service account only needs to modify an attribute on certain object types or admin rights on specific servers). Tim Medin presented on this at DerbyCon 2014 in his “Attacking Microsoft Kerberos Kicking the Guard Dog of Hades” presentation (slides & video) where he released the Kerberoast Python TGS cracker. This is a topic we have covered in the past in the posts “Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain” & “Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting.” Also Will Schroeder, aka Will Harmjoy (@harmj0y), and I spoke at DerbyCon 2016 about how to Kerberoast to escalate privileges. Note: This attack will not be successful when targeting services hosted by the Windows system since these services are mapped to the computer account in Active Directory which has an associated 128 character password which won’t be cracked anytime soon. Let’s quickly cover how Kerberos authentication works before diving into how Kerberoasting works and how to detect Kerberoast type activity. Kerberos Overview & Communication Process User logs on with username & password. 1a. Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC as an authenticator in the authentication ticket (TGT) request (AS-REQ). 1b. The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT). 2. The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data. 3. The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum – If the DC can open the ticket & the checksum check out, TGT = valid. The data in the TGT is effectively copied to create the TGS ticket. 4. The TGS is encrypted using the target service accounts’ NTLM password hash and sent to the user (TGS-REP). 5.The user connects to the server hosting the service on the appropriate port & presents the TGS (AP-REQ). The service opens the TGS ticket using its NTLM password hash. 6. If mutual authentication is required by the client (think MS15-011: the Group Policy patch from February that added UNC hardening). Unless PAC validation is required (rare), the service accepts all data in the TGS ticket with no communication to the DC. SPN Scanning for Targets Any user authenticated to Active Directory can query for user accounts with a Service Principal Name (SPN). This enables an attacker with access to a computer on the network to identify all service accounts supporting Kerberos authentication and what they are used for. Each SPN starts with a SPN type which is the first part of the SPN. If the SPN is “MSSQLSvc/adsmsDB01.adsecurity.org:1433”, then “MSSQLSvc” is the SPN type. We can check the ADSecurity.org SPN directory and see it’s for Microsoft SQL Server. The second part (after the forward slash /) is the server name the Kerberos service is running on. The server name can be the FQDN or the short name (often both). Sometimes there’s a colon (“:”) at the end which provides additional information, such as a port number or SQL instance. Anyone can perform “SPN Scanning” in order to identify Kerberos service SPNs registered in an Active Directory forest. Attackers are most interested in Service Accounts that are members of highly privileged groups like Domain Admins. A quick way to check for this is to enumerate all user accounts with the attribute “AdminCount” equal to ‘1’. I cover AdminCount in an earlier post (“Active Directory Recon Without Admin Rights“). This means an attacker may just ask AD for all user accounts with a SPN and with AdminCount=1. Using the Active Directory powershell module, we can use the Get-ADUser cmdlet: get-aduser -filter {AdminCount -eq 1} -prop * | select name,created,passwordlastset,lastlogondate We can also use PowerView’s Get-NetUser cmdlet: Get-NetUser -AdminCount | Select name,whencreated,pwdlastset,lastlogon Once we have this data, we can filter further to identify the Service Accounts. Another method to finding interesting Service Accounts is to filter based on SPN type. Some SPNs tend to have interesting permissions: * AGPMServer: Often has full control rights to all GPOs. * MSSQL/MSSQLSvc: Admin rights to SQL server(s) which often has interesting data. * FIMService: Often has admin rights to multiple AD forests. * STS: VMWare SSO service which could provide backdoor VMWare access. Kerberoasting these SPNs could lead to attacker gaining access to the associated service account credentials, which would provide easy privilege escalation if the associated password isn’t long & complex (>25 characters) or if the associated service account isn’t configured as a Managed Service Account. Kerberoasting This attack involves requesting a Kerberos service ticket(s) (TGS) for the Service Principal Name (SPN) of the target service account (Step #3 above). This request uses a valid domain user’s authentication ticket (TGT) to request one or several service tickets for a target service running on a server. The Domain Controller looks up the SPN in Active Directory and encrypts the ticket using the service account associated with the SPN in order for the service to validate user access. The encryption type of the requested Kerberos service ticket is RC4_HMAC_MD5 which means the service account’s NTLM password hash is used to encrypt the service ticket. We can request RC4 encrypted Kerberos TGS service tickets by using the following PowerShell command: > $SPNName = ‘MSSQLSvc/adsmsDB01.adsecurity.org:1433’ > Add-Type -AssemblyNAme System.IdentityModel > New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken > -ArgumentList $SPNName Running klist shows the new Kerberos service ticket with RC4-HMAC encryption. The next step is exporting the Kerberos ticket we just requested from memory, which can be done easily with Mimikatz (without admin rights). Kerberoast can attempt to open the Kerberos ticket by trying different NTLM hashes and when the ticket is successfully opened, the correct service account password is discovered. The Domain Controller doesn’t track if the user ever actually connects to these resources (or even if the user has access), so a user can request hundreds of service tickets, even if they never actually connect to the service. Note: No elevated rights are required to get the service tickets and no traffic is sent to the target. Note that Mimikatz is not required to extract the service ticket from memory: read Will’s post “Kerberoasting without Mimikatz” Mitigating Kerberoast Attack Activity The most effective mitigation of this attack is ensuring service account passwords are longer than 25 characters (and aren’t easily guessable) Managed Service Accounts and Group Managed Service Accounts are a good method to ensure that service account passwords are long, complex, and change regularly. A third party product that provides password vaulting is also a solid solution for managing service account passwords. Though any 3rd party password management tool needs to be properly evaluated since the associated service account often requires Domain Admin level rights. This evaluation should also include how these credentials are managed within the solution. Configuring Logging to Detect Kerberoast Activity Before having a chance to detect Kerberoasting, it’s important to have the appropriate logging enabled. Kerberoasting involves requesting Kerberos TGS service tickets with RC4 encryption. Domain Controllers can log Kerberos TGS service ticket requests by configuring “Audit Kerberos Service Ticket Operations” under Account Logon to log successful Kerberos TGS ticket requests. Enabling this audit category on Domain Controllers will result in two interesting event ids being logged: 4769: A Kerberos service ticket (TGS) was requested 4770: A Kerberos service ticket was renewed Event ID 4769 will be logged many, many times in the domain since after initial logon (and Kerberos TGT ticket request), users request Kerberos TGS service tickets to access the may services on the network (file shares, SQL, SharePoint, etc). Expect there will be around 10 to 20 Kerberos TGS requests per user every day. The 4769 event on Domain Controllers is one of the most numerous in any environment which is why it’s often not logged. Detecting Potential Kerberoast Activity I have presented and posted on potential methods to detect Kerberoasting activity in the past: > Detection is a lot tougher since requesting service tickets (Kerberos TGS > tickets) happens all the time when users need to access resources. > Looking for TGS-REQ packets with RC4 encryption is probably the best method, > though false positives are likely. > > Monitoring for numerous Kerberos service ticket requests in Active Directory > is possible by enabling Kerberos service ticket request monitoring (“Audit > Kerberos Service Ticket Operations”) and searching for users with excessive > 4769 events (Event Id 4769 “A Kerberos service ticket was requested”). Here’s how to definitively detect Kerberoasting activity. Windows added Kerberos AES (128 & 256) encryption starting with Windows Server 2008 and Windows Vista which means that most Kerberos requests will be AES encrypted with any modern Windows OS. Any Kerberos RC4 tickets requested should be the exception. There are systems that only support Kerberos RC4 by default (NetApp). Inter-forest Kerberos tickets also use RC4 unless configured for AES – ensure your forest trusts support AES and then enable AES over the trust. So, how do we determine what encryption type was used when looking at events: 0x12, 0x17…? Ned Pyle (@NerdPyle) posted an article on hunting down the use of Kerberos DES encryption in the AskDS Blog on TechNet and provides this handy chart: Once all Domain Controllers are configured to log 4769 events, these events need to be filtered before sending the data into a SIEM/Splunk. Since we are only really interested in Kerberos TGS service tickets with RC4 encryption, it’s possible to filter the events. As shown above, Kerberos events with AES encryption has Ticket Encryption Type set to 0x12. Kerberos RC4 encrypted tickets have Ticket Encryption Type set to 0x17. These events can be filtered using the following which greatly reduces the amount of events flowing into the SIEM/Splunk: * Ticket Options: 0x40810000 * Ticket Encryption: 0x17 With this information, we can start investigating potential Kerberoasting activity and reduce the number of 4769 events. Note: Also look for Kerberos DES encryption since this is not secure. The ticket options may be different, so just filter on 4768 & 4769 events with Ticket Encryption: 0x1 OR 0x2 OR 0x3. Starting with Windows 7 & Windows Server 2008 R2, DES encryption is disabled, but it’s still important to find systems that may be attempting (& succeeding!) to get DES Kerberos tickets We can further reduce the number of 4769 events that flow into SIEM/Splunk: * Filter out requests from service accounts (ads45service@lab.adsecurity.org) * Filter on Audit Success * Filter out requests for service names with a “$” which are typically for computer accounts (or trusts or Managed Service Accounts, all accounts where Windows automatically generates a long, complex password). In limited testing, I’ve seen 4769 event totals reduced from millions to thousands and hundreds using these filtering techniques. Here’s a 4769 event that may potentially be from Kerberoasting activity: Some attackers will request a bunch of RC4 TGS tickets for some or all service accounts using something similar to the following graphic. The PowerShell script code in the graphic above is similar to PowerView functionality. The next graphic shows the results of the PowerShell script code being run. Running klist shows the tickets are in user memory. Note that the initial krbtgt ticket is AES encrypted and others are RC4-HMAC(NT). That’s a bit unusual. So, the tickets were requested… How to discover this activity? Using the information regarding ticket encryption type and ticket options, we can use PowerShell to parse the DC’s event log looking for 4769 events with this info. That looks really odd. Why would any account request several different service names (Citrix PVS, BizTalk, Business Objects, AGPM GPO management, and several SQL service accounts) within a second or two of each other? That stands out and looks really suspicious and is very likely Kerberoasting activity. This provides great information on what users could be compromised and what activity on which computers should be scrutinized. A single user requesting RC4 encrypted TGS tickets for several services, such as lots of SQL service principal names is suspicious and it’s worth investigating the IP (client address) the requests came from. The same thing is true for multiple RC4 encrypted TGS requests over time for lots of service principal names. A pattern does emerge when there’s one or two accounts that request a variety or RC4 TGS tickets. Update: Added Part 2 on How to Detect Kerberoasting Activity Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot If you are logging PowerShell activity, you can use my offensive PowerShell indicators to detect standard use of common PowerShell attack tools. I cover detecting offensive PowerShell in the previous post “Detecting Offensive PowerShell Attack Tools” & “PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection“. I also covered PowerShell security in my BSidesCharm & BSidesDC talks in 2016. Specifically: * Deploy PowerShell v5 (or newer) and enable module logging & script block logging. * Send the following PowerShell log event ids to the central logging solution: 400 & 800 * Pull the following PowerShell Operational log event ids to the central logging solution: 4100, 4103, 4104 * Configuring system-wide transcription to send a log of all activity per user, per system to a write-only share, is incredibly valuable to catch suspicious/malicious activity that can be missed or not logged to the event logs. Even better is ingesting these transcript text files into something like Splunk for further analysis. Note the addition of “KerberosRequestorSecurityToken” which is the PowerShell method to request Kerberos tickets. Conclusion Kerberoasting requires requesting Kerberos TGS service tickets with RC4 encryption which shouldn’t be most of the Kerberos activity on a network. Logging 4769 events on Domain Controllers, filtering these events by ticket encryption type (0x17), known service accounts (Account Name field) & computers (Service Name field) greatly reduces the number of events forwarded to the central logging and alerting system. Gathering and monitoring this data also creates a good baseline of what’s “normal” in order to more easily detect anomalous activity. Kerberoasting References * Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot * Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain * Attack Methods for Gaining Domain Admin Rights in Active Directory * Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting * Targeted Kerberoasting (Harmj0y) * Kerberoasting without Mimikatz (Harmj0y) * Roasting AS REPs (Harmj0y) * Sean Metcalf’s Presentations on Active Directory Security * Kerberoast (GitHub) * Tim Medin’s DerbyCon “Attacking Microsoft Kerberos Kicking the Guard Dog of Hades” presentation in 2014 (slides & video). (Visited 197,903 times, 1 visits today) * AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoasting Active Directory, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, KerberosRequestorSecurityToken, NTLM Password, PowerShell Kerberoast, RC4_HMAC_MD5, TGS-REP, TGS-REQ * SEAN METCALF I improve security for enterprises around the world working for TrimarcSecurity.com Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8 * RECENT POSTS * BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf * DEFCON 2017: Transcript – Hacking the Cloud * Detecting the Elusive: Active Directory Threat Hunting * Detecting Kerberoasting Activity * Detecting Password Spraying with Security Event Auditing TRIMARC ACTIVE DIRECTORY SECURITY SERVICES Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. Find out how... TrimarcSecurity.com POPULAR POSTS * PowerShell Encoding & Decoding (Base64) * Attack Methods for Gaining Domain Admin Rights in… * Kerberos & KRBTGT: Active Directory’s… * Finding Passwords in SYSVOL & Exploiting Group… * Securing Domain Controllers to Improve Active… * Securing Windows Workstations: Developing a Secure Baseline * Detecting Kerberoasting Activity * Mimikatz DCSync Usage, Exploitation, and Detection * Scanning for Active Directory Privileges &… * Microsoft LAPS Security & Active Directory LAPS… CATEGORIES * ActiveDirectorySecurity * Apple Security * Cloud Security * Continuing Education * Entertainment * Exploit * Hacking * Hardware Security * Hypervisor Security * Linux/Unix Security * Malware * Microsoft Security * Mitigation * Network/System Security * PowerShell * RealWorld * Security * Security Conference Presentation/Video * Security Recommendation * Technical Article * Technical Reading * Technical Reference * TheCloud * Vulnerability TAGS ActiveDirectory Active Directory Active Directory Security ActiveDirectorySecurity ADReading AD Security ADSecurity Azure AzureAD DCSync DomainController GoldenTicket GroupPolicy HyperV Invoke-Mimikatz KB3011780 KDC Kerberos KerberosHacking KRBTGT LAPS LSASS MCM MicrosoftEMET MicrosoftWindows mimikatz MS14068 PassTheHash PowerShell PowerShellCode PowerShellHacking PowerShellv5 PowerSploit Presentation Security SilverTicket SneakyADPersistence SPN TGS TGT Windows7 Windows10 WindowsServer2008R2 WindowsServer2012 WindowsServer2012R2 Search for: RECENT POSTS * BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf * DEFCON 2017: Transcript – Hacking the Cloud * Detecting the Elusive: Active Directory Threat Hunting * Detecting Kerberoasting Activity * Detecting Password Spraying with Security Event Auditing RECENT COMMENTS * Derek on Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory * Sean Metcalf on Securing Microsoft Active Directory Federation Server (ADFS) * Brad on Securing Microsoft Active Directory Federation Server (ADFS) * Joonas on Gathering AD Data with the Active Directory PowerShell Module * Sean Metcalf on Gathering AD Data with the Active Directory PowerShell Module ARCHIVES * June 2024 * May 2024 * May 2020 * January 2020 * August 2019 * March 2019 * February 2019 * October 2018 * August 2018 * May 2018 * January 2018 * November 2017 * August 2017 * June 2017 * May 2017 * February 2017 * January 2017 * November 2016 * October 2016 * September 2016 * August 2016 * July 2016 * June 2016 * April 2016 * March 2016 * February 2016 * January 2016 * December 2015 * November 2015 * October 2015 * September 2015 * August 2015 * July 2015 * June 2015 * May 2015 * April 2015 * March 2015 * February 2015 * January 2015 * December 2014 * November 2014 * October 2014 * September 2014 * August 2014 * July 2014 * June 2014 * May 2014 * April 2014 * March 2014 * February 2014 * July 2013 * November 2012 * March 2012 * February 2012 CATEGORIES * ActiveDirectorySecurity * Apple Security * Cloud Security * Continuing Education * Entertainment * Exploit * Hacking * Hardware Security * Hypervisor Security * Linux/Unix Security * Malware * Microsoft Security * Mitigation * Network/System Security * PowerShell * RealWorld * Security * Security Conference Presentation/Video * Security Recommendation * Technical Article * Technical Reading * Technical Reference * TheCloud * Vulnerability META * Log in * Entries feed * Comments feed * WordPress.org COPYRIGHT Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020. Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Made with by Graphene Themes.