Content

Derbycon “Attacking Kerberos” talk I’ll be checking out — and you should too!

mk5rbvg

TL/DR: Protip — Attend Tim Medin’s talk “Attacking Kerberos” at Derbycon if you can.  If you can’t get into the talk or (gasp) aren’t going to Derbycon, rest easy… it’ll be recorded by everyone’s BFF, Adrian “Irongeek” Crenshaw. Be sure to check it out ASAP at Adrian’s website http://www.irongeek.com/.

Disclaimer: There are plenty of talks that are going to happen at Derbycon.  And they’re going to be awesome… but this talk… this talk is… special.  The reason I’m writing to you about this one is simple — I think it will fundamentally change how we both attack and defend domains.  The blue teamer in me desperately hopes there are mitigations & defenses soon.  The red teamer in me is jumping up and down like a hyperactive kid on Christmas morning.

NOTE: this post is riddled with spoilers for Tim Medin’s talk… But this is with Tim’s explicit permission.  He also was kind enough to proofread this posting to ensure I didn’t misstate anything.

I was very fortunate to get a sneak peak on Tim’s presentation… and I have to say I’m amazed and… still a little confused on why things are the way they are.  Bottom line: if you run services in a windows domain environment without *very* strong passwords, you’re toast.

MS provides several utilities to create service accounts… but few people use them.  Instead, just about everyone uses the standard user creation tool and then simply binds that account to the service.  If you do this — again, almost everyone does — you’re open to the kerberos attack he has discovered and that I’ll outline below.  This is a big deal since kerberos is the method that MS Active Directory uses for all authentication.  Note: we’ll do a tech segment on this attack during a SecurityWeekly show soon so you can have the full details.  Hopefully done by Tim himself!

This attack works because in the MS implementation of kerberos, instead of using a dedicated shared secret, they instead use the NTLM hash for the account!  Yep!  You read that right.  The hash value of account passwords is sent as part of the protocol. Tim’s attack is rather crafty… and simple.  He takes several existing tools — none of which require domain or local admin level access – and combines them to have your domain give up these NTLM hashes.  The effect of this is simply devastating.  With this attack you can:

– Crack the service account password.
– Do this completely offline (ie: not send any packets to the service)
– Launch this attack as any user (it’s worth repeating this: you don’t have to be admin!)

Once you’ve successfully cracked the password for that service account you can:
– Login as that account (if the victim hasn’t disabled interactive logins)
– Forge kerberos tickets (Allows you to impersonate *any* user or group)

Again: it’s worth pointing out this can be done as a *standard* user account

Before you launch this attack you need to be an authenticated user on the target domain.  Once you’ve got access… here’s how this can be done.

1) Pull a list of all service accounts used in the domain.  The easiest way to do this is like so:
setspn -T DOMAINNAME -F -Q */*
(be sure to only go after user account objects.  The computer accounts are typically too tough to crack)

2) Request tickets from the kerberos server for the account you’re targeting.  Again, there’s multiple ways of doing this.  (powershell is probably the best.  Note: these are two separate commands)
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -Arguemtlist “HTTP / YOURKERB SERVER”

3) Extract your tickets from RAM.  Yep… several ways to do that, although the ever useful Mimikatz is probably the best
mimikatz# kerberos::list

4) Crack the shared “secret”.  Pick your tool here too.
tgsrepcarck.py -w WORDLIST -r -1 TicketFromRam

4a) Happy dance!

5) Forge your own kerberose tickets with a tool like kerbertoast. Note for this to work, the process must run as a service. http://blogs.technet.com/b/instan/archive/2011/11/14/the-return-of-pac-mania-aka-some-reasons-why-pac-verification-can-fail.aspx

And a final note from Tim: (told you he read and approved this posting!)
Of course cracking service account passwords is awesome. Often MSSQL will run as DA so it can register the SPN itself. It also runs as a service. Meaning you can offline brute force a DA.

So as you can see, while it’s not the end of Western Civilization as we know it, this attack is a huge deal.

There’s lots of info I’ve glossed over in the interest of time.  Attend the talk or watch the vid.  This is going to be big.

– Mick @bettersafetynet

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more.

Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable.
In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. Paul grew Security Weekly into a network of security podcasts spanning multiple topics, such as application security and business. It has been estimated that Paul has conducted over 1,000 interviews with security professionals and hosted more than 1,000 podcast episodes in cybersecurity. In 2020 Security Weekly was acquired by the Cyberrisk Alliance.

Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python, telling everyone he uses Linux as his daily driver, poking at the supply chain, and reading about UEFI and other firmware-related technical topics.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.