> According to our friend Chick3nman, the same RTX 5090 can crack 4.18 billion (with a “b”) of these hashes every second.
It may just be imprecise writing, but this is very misleading. The stat is that 4.18 B hashes can be computed per second, not cracked. Computing a hash means converting a given input into its hash. Cracking a hash means starting from the given hash and determining what the input must have been. To crack a given hash you have to iterate over the input space and compute all their hashes (barring other exploitable weaknesses).
So, sure you can "crack" 4.18 B hashes per second, as long as you don't care that the hashes you are "cracking" are not the one you're interested in.
As a pentester kerberosting used to reveal a service password on about 50% of networks on the 2010s when admins were making the passwords. Today our advice to clients on kerberosting is the same as it was back then, use a password manager to generate a 21 character password for all service accounts and disabled RC4 where possible. 52^21 is quite a large key space and even at 10^10 guesses per second over a year your chances are less than 1 in a billion of a successful crack.
I will make a slight subtle distinction though. Cracking a hash doesn't mean determining what the input must have been. It means finding an input that resolves to the same hash - not necessarily the original input.
Good overview of Kerberoasting, still a common attack chain. A couple things though: To obtain access to a service, you actually need to get a service ticket (TGS) from the KDC (Domain Controller) to authenticate to the service, not a TGT. The TGT is the first ticket acquired during authentication to the domain. In addition, the "salt" is not a true salt but a concatenation of the domain and principal name, so even worse. Active Directory (invented at MIT) supports RC4, AES128, and AES256 encryption types, however you can effectively disable RC4 via Group Policy. The reason RC4 is still supported is to support legacy systems. Many organizations use old software that only supports RC4. For example, I've run into many manufacturing and small businesses that have no choice but to use it and can't upgrade the software due to $$$. Anyway, good stuff! Shout out to Tim Medin, who published this back in 2014.
AD was invented by Microsoft, gluing together Kerberos (from MIT) and LDAP (from UMich). If it was from MIT, we wouldn't have had Windows 2000's infamous proprietary PAC.
If we're being pedantic, TGS ("ticket granting server") is the service you get service tickets from. Service tickets are (occasionally) abbreviated ST, as you'd expect. The TGS is a logical part of the KDC, distinguished from the AS which grants TGTs.
It’s been ages since I stood up a Kerberos realm, but… would it be possible to allow RC4 only for specific users? Like encrypt [email protected]’s heavily locked down account with RC4, but everyone else gets AES-256?
I was about to suggest employing PingCastle to audit domains for weak default configurations such as these, but apparently, PingCastle still doesn't complain about RC4 enabled Kerberos accounts - only about DES. So now is a good opportunity to check any domains you are responsible for by hand.
Note that since the 2022 update KB5019964, AES is the default for all AD accounts that did not have the administrator explicitly set a different encryption scheme. However, administrators may have done that on your domain in the past, because back in the day, the default encryption scheme was not even RC4, but DES, which is even worse. Some people therefore set everything to RC4 by hand, before AES was introduced as an option.
The allowed encryption types are set via the msDs-supportedEncryptionTypes attribute on each individual AD account. This property is a 32 bit bitmask, where 8 is AES128, 16 is AES256, and any other bits set are garbage encryption schemes. However, if the attribute is set to 0, the account reverts to the default, which ever since the aforementioned patch has been 24 (AES128|AES256).
Anyway, the following Powershell (run with elevated permissions on the domain!) lists you all insecure user accounts:
This may be an important clue for something that happened recently in our environment. We configured a bunch of database service SPNs and immediately all Kerberos auth failed. Rolled it back and talked to our support provider. They said that the expected behavior was to default to AES but that for some reason our environment wasn’t honoring that. We ended up having to manually enable AES support on each service account, which is a minor pain in the ass, and since no one in the IAM team was involved in the original domain setup, no one could explain why this happened or whether there was a manual RC4/DES config lurking out there in the shadows.
This article is somewhat incorrect. Kerberoasting abuses Ticket Granting Service tickets (TGSs, which are used to request access to a registered service in Active Directory), not Ticket Granting Tickets (TGTs, which are used to prove identity to a Domain Controller and request TGSs). However, the general attack described is still correct.
TGS are (AES or RC4) encrypted with the NT password hash of the service account they are associated with. If you have a weak service account password, then TGS can be cracked to obtain the service account's password. A lot of times admins will create service accounts that have way more permissions than required (e.g. they make them a DA) which can lead to an immediate privilege escalation. Sometimes they also use regular user accounts for service registration instead of designated service accounts, and user accounts tend to have weaker passwords. To make it worse, any low privilege Active Directory account can request a TGS for any service, even if they are not allowed to access that service.
1. Use managed or group managed service accounts instead of manually managed ones where possible. This ensures that account passwords are long, strong, and rotated regularly. If you are going to provision service accounts manually, give them very strong passwords.
2. Apply the principle of least privilege and only assign service accounts the privileges they need. Avoid placing them in high privilege groups.
3. Disable RC4 in your environment if possible via Group Policy.
An actually useful mitigation would be to use service keytabs instead of service passwords. Because with a keytab, the keytab is a file that just contains an AES128/256/RC4 key instead of a password, which makes it sufficiently hard to guess. The service just uses this file to decrypt its service tickets then.
However, keytab usage is rare in the Windows AD world because people don't seem to comprehend what a keytab is and does, and why it is far better than using passwords for services.
I was a little irritated that Prof. Green didn't really discuss that Microsoft has made recommendations to mitigate. Thank you for summarizing.
The mitigations are there but it takes time for Microsoft's Customers to move to the new versions. I don't think that's Microsoft's problem. That's just their market. I don't think Prof. Green has an understanding of that side of it.
I guess one could argue that Microsoft should backport the new code to older products and give it to Customers who aren't actively paying for maintenance or subscription licensing. They made the business decision not to.
> To make it worse, any low privilege Active Directory account can request a TGS for any service, even if they are not allowed to access that service.
I have a vague understanding of Kerberos, and this is where I’m mystified. Why is the KDC or anything else willing to issue a TGS ticket encryption against a service password before the requesting user authorizes themselves? Or is the issue that authentication and authorization are split and the KDC has no idea whether the requesting user is authorized.
Is this really a useful mitigation here? If someone has suitable presence to make requests to the TGS, then the time window for cracking and exploiting those tickets (if they are exploitable) is surely always going to be small compared to the rotation window. Hackers don't typically have the patience to sit running hashcat on an old GPU for weeks, they just find some way to get ephemeral access to a bunch of faster GPUs.
> This article is somewhat incorrect. Kerberoasting abuses Ticket Granting Service tickets (TGSs...
> TGS are (AES or RC4) encrypted...
What? No. The "TGS" is the "ticket granting service", and it's part of the KDC. A "TGT" is a "ticket granting ticket" -- an object, a blob which is a) a Ticket, b) whose service principal is a TGS principal (meaning of the form krbtgt/TARGET_REALM@ISSUER_REALM).
See perhaps "Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos":
> Identifying devices limited to RC4 is a critical step but has historically been a tricky problem to solve. However, a recently discovered "feature" in 4768 events can help you identity such devices. […] As a result, 4768 events can be used to identify devices that only support RC4.
> While DES has long been considered insecure, CVE-2022-37966 accelerates the departure of RC4 for the encryption of Kerberos tickets. If you have not explicitly assigned an algorithm to accounts, then AES will be used in the future. You can use PowerShell to determine which accounts are vulnerable to weak encryption.
I agree -- Ascension is also complicit in this, and merely paying lip-service to HIPAA. The Senator's letter, on the other hand, paints a one-sided picture of the matter.
Help me out here. I thought I was understanding the process as I went along, but my head is still spinning.
This is what I understood: the corporate network needs to be able to connect ordinary users on some random employee's work computer, to privileged services elsewhere on the (generally insecure) network, securely. The idea is that the server sends the client some kind of encrypted token, the decryption of which — when the system is properly configured — would require some long, random passphrase beyond mortal comprehension. The user's machine stores the passphrase so that secure passphrases can be used by the mere mortal users, and automates the internal connection. But if a user gets compromised from outside the network, an attacker could explicitly request and exfiltrate one of the tokens, and run brute force attacks on it locally to the attacker; and for historical reasons, the system is likely to be poorly configured, such that the necessary passphrase is weak enough to be susceptible to this. Then the attacker uses the decrypted token to escalate access.
My question is: why can't the attacker just direct the compromised machine to connect to the service normally? Or else, where did I lose the plot?
If you have the user's credentials then you can indeed connect to the service as you normally would. The advantages of performing this attack are:
1. You can obtain the service account's password, and the service account may be provisioned with more privileges than the user's account that you compromised. This allows for privilege escalation beyond simply accessing the service. For example, perhaps the service account has administrative access on other machines, or it is used for multiple services, or it is a Domain Admin in which case you can completely compromise the domain.
2. TGS tickets used to request access to a service are cryptographically signed with the password hash of the service account. Services use this to confirm ticket validity. In most cases, this means that if you can derive the service account password, you can forge TGS tickets that claim to be associated with arbitrary domain users. Instead of accessing the service as a low privilege user, you can now access the service as an Enterprise Admin or another high privilege account which could enable access to more resources or administrative access to the machine. This is called a Silver Ticket attack.
You're missing the forest for the trees. A regular user account should never have a service principal name (SPN), for the simple reason that it can be attacked in the way described. That is why service accounts have really long complex passwords.
Kerberoasting nearly always occurs due to an installation process that assigns an SPN to an account that is performing an installation, or inappropriately selected by the installer. That is the first problem. The second problem is there isn't anyone auditing this stuff because they are incompetent.
If you reported an issue of an account that had an SPN but should not, nearly everyone would either not know what you are talking about, or disagree that it is a security problem without any knowledge or basis.
Microsoft is also guilty of reading the market and keeping up compatibility to make their products remain relevant. Prof. Green makes sweeping statements about how Microsoft should break compatibility to remove these vulnerabilities, but he doesn't have the market pressures that Microsoft does.
Could Microsoft work harder on this? Sure. Do they have to worry about keeping their Customers happy? Absolutely.
The corporate IT market moves at a glacial pace. Hopefully the rise of IT security issues having actual business consequences will change that, but that's not Microsoft's problem. That's the ecosystem they live in.
Were bad protocol / design decisions made in the past? For sure. Microsoft has been working on this (see Managed Service Accounts and Group Managed Service Accounts). It takes time for corporate customers to adopt these new versions.
Corporate IT won't forklift out old systems without business justification. Maybe the pressure from the insurance industry will help. Pressure from the ransomware industry is a certainly helping, too.
It's still common in IT departments to enter the domain administrator password to join a computer to a domain or install software on a client machine. This seems insane to me, you can just fake the windows gui in a Fullscreen application and keylog the password - even using a web browser. I think AD is a relic of the 90s that should be retired
Kerberoasting keeps popping up in real-world incidents. Do you think enterprises underestimate the human factor in securing service accounts more than the technical exploits?
In Kerberos, the answer is effectively no. To generate the NT hash, the password is hashed using a single round of MD4. This is what is used to encrypt (and sign) tickets.
The attack is, guess a password, hash it, and attempt to decrypt.
With AES Kerberos keys there is a salt... but not a good one. It is just the domain (realm) and the username.
This makes me so mad. 5he excuses from Microsoft are quite pathetic
Their ubiquitous systems have been notoriously insecure for decades.
They are one of the highest revenue firms on the planet.
It is going to take strict liability for software developers before we all pull up our socks and put an end to this nonsense. When it is a marketing advantage to produce insecure software, what else can fix our industry?
This makes me so mad. 5he excuses from Microsoft are quite pathetic
Their ubiquitous systems have been notoriously insecure for decades.
They are one of the highest revenue firms on the planet.
It is going to take strict liability for software developers before we all pull up oursocks and put an end to this nonsense. When it is a marketing advantage to produce insecure software, what else can fix our industry?
[+] [-] cvoss|6 months ago|reply
It may just be imprecise writing, but this is very misleading. The stat is that 4.18 B hashes can be computed per second, not cracked. Computing a hash means converting a given input into its hash. Cracking a hash means starting from the given hash and determining what the input must have been. To crack a given hash you have to iterate over the input space and compute all their hashes (barring other exploitable weaknesses).
So, sure you can "crack" 4.18 B hashes per second, as long as you don't care that the hashes you are "cracking" are not the one you're interested in.
[+] [-] ospray|6 months ago|reply
[+] [-] MattPalmer1086|6 months ago|reply
I will make a slight subtle distinction though. Cracking a hash doesn't mean determining what the input must have been. It means finding an input that resolves to the same hash - not necessarily the original input.
[+] [-] cybergreg|6 months ago|reply
[+] [-] gnufx|6 months ago|reply
AD was invented by Microsoft, gluing together Kerberos (from MIT) and LDAP (from UMich). If it was from MIT, we wouldn't have had Windows 2000's infamous proprietary PAC.
[+] [-] thedufer|6 months ago|reply
If we're being pedantic, TGS ("ticket granting server") is the service you get service tickets from. Service tickets are (occasionally) abbreviated ST, as you'd expect. The TGS is a logical part of the KDC, distinguished from the AS which grants TGTs.
[+] [-] kstrauser|6 months ago|reply
[+] [-] timmedin|6 months ago|reply
And thanks for the shout out!
[+] [-] indigo945|6 months ago|reply
Note that since the 2022 update KB5019964, AES is the default for all AD accounts that did not have the administrator explicitly set a different encryption scheme. However, administrators may have done that on your domain in the past, because back in the day, the default encryption scheme was not even RC4, but DES, which is even worse. Some people therefore set everything to RC4 by hand, before AES was introduced as an option.
The allowed encryption types are set via the msDs-supportedEncryptionTypes attribute on each individual AD account. This property is a 32 bit bitmask, where 8 is AES128, 16 is AES256, and any other bits set are garbage encryption schemes. However, if the attribute is set to 0, the account reverts to the default, which ever since the aforementioned patch has been 24 (AES128|AES256).
Anyway, the following Powershell (run with elevated permissions on the domain!) lists you all insecure user accounts:
Remember that computer accounts have passwords too:[+] [-] hotsauceror|6 months ago|reply
[+] [-] jeffmcjunkin|6 months ago|reply
[+] [-] harmon|6 months ago|reply
TGS are (AES or RC4) encrypted with the NT password hash of the service account they are associated with. If you have a weak service account password, then TGS can be cracked to obtain the service account's password. A lot of times admins will create service accounts that have way more permissions than required (e.g. they make them a DA) which can lead to an immediate privilege escalation. Sometimes they also use regular user accounts for service registration instead of designated service accounts, and user accounts tend to have weaker passwords. To make it worse, any low privilege Active Directory account can request a TGS for any service, even if they are not allowed to access that service.
Even if the service account is lower privilege, this can enable a silver ticket attack. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberatt...
There are multiple mitigations for this:
1. Use managed or group managed service accounts instead of manually managed ones where possible. This ensures that account passwords are long, strong, and rotated regularly. If you are going to provision service accounts manually, give them very strong passwords.
2. Apply the principle of least privilege and only assign service accounts the privileges they need. Avoid placing them in high privilege groups.
3. Disable RC4 in your environment if possible via Group Policy.
4. Monitor for RC4 ticket requests. AES-encrypted tickets are the default these days. https://adsecurity.org/?p=3458
5. Create a honeypot service account: https://adsecurity.org/?p=3513
There is a somewhat similar attack against TGTs called ASREPRoasting: https://book.hacktricks.wiki/en/windows-hardening/active-dir...
[+] [-] holowoodman|6 months ago|reply
However, keytab usage is rare in the Windows AD world because people don't seem to comprehend what a keytab is and does, and why it is far better than using passwords for services.
[+] [-] EvanAnderson|6 months ago|reply
The mitigations are there but it takes time for Microsoft's Customers to move to the new versions. I don't think that's Microsoft's problem. That's just their market. I don't think Prof. Green has an understanding of that side of it.
I guess one could argue that Microsoft should backport the new code to older products and give it to Customers who aren't actively paying for maintenance or subscription licensing. They made the business decision not to.
[+] [-] amluto|6 months ago|reply
I have a vague understanding of Kerberos, and this is where I’m mystified. Why is the KDC or anything else willing to issue a TGS ticket encryption against a service password before the requesting user authorizes themselves? Or is the issue that authentication and authorization are split and the KDC has no idea whether the requesting user is authorized.
[+] [-] gnfargbl|6 months ago|reply
Is this really a useful mitigation here? If someone has suitable presence to make requests to the TGS, then the time window for cracking and exploiting those tickets (if they are exploitable) is surely always going to be small compared to the rotation window. Hackers don't typically have the patience to sit running hashcat on an old GPU for weeks, they just find some way to get ephemeral access to a bunch of faster GPUs.
[+] [-] cryptonector|6 months ago|reply
> TGS are (AES or RC4) encrypted...
What? No. The "TGS" is the "ticket granting service", and it's part of the KDC. A "TGT" is a "ticket granting ticket" -- an object, a blob which is a) a Ticket, b) whose service principal is a TGS principal (meaning of the form krbtgt/TARGET_REALM@ISSUER_REALM).
If in doubt see RFC 4120.
[+] [-] throw0101d|6 months ago|reply
> Identifying devices limited to RC4 is a critical step but has historically been a tricky problem to solve. However, a recently discovered "feature" in 4768 events can help you identity such devices. […] As a result, 4768 events can be used to identify devices that only support RC4.
* https://techcommunity.microsoft.com/blog/coreinfrastructurea...
Also:
> While DES has long been considered insecure, CVE-2022-37966 accelerates the departure of RC4 for the encryption of Kerberos tickets. If you have not explicitly assigned an algorithm to accounts, then AES will be used in the future. You can use PowerShell to determine which accounts are vulnerable to weak encryption.
* https://blog.sonnes.cloud/find-active-directory-accounts-con...
There are certainly disadvantages to legacy support being 'too good'.
[+] [-] cybergreg|6 months ago|reply
[+] [-] whydoyoucare|6 months ago|reply
[+] [-] zahlman|6 months ago|reply
This is what I understood: the corporate network needs to be able to connect ordinary users on some random employee's work computer, to privileged services elsewhere on the (generally insecure) network, securely. The idea is that the server sends the client some kind of encrypted token, the decryption of which — when the system is properly configured — would require some long, random passphrase beyond mortal comprehension. The user's machine stores the passphrase so that secure passphrases can be used by the mere mortal users, and automates the internal connection. But if a user gets compromised from outside the network, an attacker could explicitly request and exfiltrate one of the tokens, and run brute force attacks on it locally to the attacker; and for historical reasons, the system is likely to be poorly configured, such that the necessary passphrase is weak enough to be susceptible to this. Then the attacker uses the decrypted token to escalate access.
My question is: why can't the attacker just direct the compromised machine to connect to the service normally? Or else, where did I lose the plot?
[+] [-] harmon|6 months ago|reply
1. You can obtain the service account's password, and the service account may be provisioned with more privileges than the user's account that you compromised. This allows for privilege escalation beyond simply accessing the service. For example, perhaps the service account has administrative access on other machines, or it is used for multiple services, or it is a Domain Admin in which case you can completely compromise the domain.
2. TGS tickets used to request access to a service are cryptographically signed with the password hash of the service account. Services use this to confirm ticket validity. In most cases, this means that if you can derive the service account password, you can forge TGS tickets that claim to be associated with arbitrary domain users. Instead of accessing the service as a low privilege user, you can now access the service as an Enterprise Admin or another high privilege account which could enable access to more resources or administrative access to the machine. This is called a Silver Ticket attack.
[+] [-] Hilift|6 months ago|reply
Kerberoasting nearly always occurs due to an installation process that assigns an SPN to an account that is performing an installation, or inappropriately selected by the installer. That is the first problem. The second problem is there isn't anyone auditing this stuff because they are incompetent.
If you reported an issue of an account that had an SPN but should not, nearly everyone would either not know what you are talking about, or disagree that it is a security problem without any knowledge or basis.
[+] [-] deltarholamda|6 months ago|reply
>Users with AD credentials can request tickets to any service account in AD.
I assume it means you can derive the service password to leapfrog up the chain to wherever you want to go.
[+] [-] lotharcable|6 months ago|reply
[+] [-] EvanAnderson|6 months ago|reply
Could Microsoft work harder on this? Sure. Do they have to worry about keeping their Customers happy? Absolutely.
The corporate IT market moves at a glacial pace. Hopefully the rise of IT security issues having actual business consequences will change that, but that's not Microsoft's problem. That's the ecosystem they live in.
Were bad protocol / design decisions made in the past? For sure. Microsoft has been working on this (see Managed Service Accounts and Group Managed Service Accounts). It takes time for corporate customers to adopt these new versions.
Corporate IT won't forklift out old systems without business justification. Maybe the pressure from the insurance industry will help. Pressure from the ransomware industry is a certainly helping, too.
[+] [-] naranha|6 months ago|reply
[+] [-] iam_saurabh|6 months ago|reply
[+] [-] moomin|6 months ago|reply
[+] [-] timmedin|6 months ago|reply
The attack is, guess a password, hash it, and attempt to decrypt.
With AES Kerberos keys there is a salt... but not a good one. It is just the domain (realm) and the username.
[+] [-] dec1m0s|6 months ago|reply
[+] [-] jabl|6 months ago|reply
[+] [-] worik|6 months ago|reply
Their ubiquitous systems have been notoriously insecure for decades.
They are one of the highest revenue firms on the planet.
It is going to take strict liability for software developers before we all pull up our socks and put an end to this nonsense. When it is a marketing advantage to produce insecure software, what else can fix our industry?
I despair
[+] [-] worik|6 months ago|reply
Their ubiquitous systems have been notoriously insecure for decades.
They are one of the highest revenue firms on the planet.
It is going to take strict liability for software developers before we all pull up oursocks and put an end to this nonsense. When it is a marketing advantage to produce insecure software, what else can fix our industry?
I despair
[+] [-] MrBuddyCasino|6 months ago|reply
Did he not get the memo that this is not allowed?