CAPEC-509: Kerberoasting
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
执行流程
步骤 1 Explore
Scan for user accounts with set SPN values
- These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.
步骤 2 Explore
Request service tickets
- Using user account's SPN value, request other service tickets from Active Directory
步骤 3 Experiment
Extract ticket and save to disk
- Certain tools like Mimikatz can extract local tickets and save them to memory/disk.
步骤 4 Exploit
Crack the encrypted ticket to harvest plain text credentials
- Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
前提条件
- The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.
- The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).
- The adversary requires a brute force tool.
所需技能
后果影响
影响范围: Confidentiality
技术影响: Gain Privileges
缓解措施
Monitor system and domain logs for abnormal access.
Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.
Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
示例实例
PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1558.003 | Steal or Forge Kerberos Tickets:Kerberoasting |