TL/DR: Protip — Attend Tim Medin’s talk “Attacking Kerberos” at Derbycon if you can. If you can’t get into the talk or (gasp) aren’t going to Derbycon, rest easy… it’ll be recorded by everyone’s BFF, Adrian “Irongeek” Crenshaw. Be sure to check it out ASAP at Adrian’s website http://www.irongeek.com/.
Disclaimer: There are plenty of talks that are going to happen at Derbycon. And they’re going to be awesome… but this talk… this talk is… special. The reason I’m writing to you about this one is simple — I think it will fundamentally change how we both attack and defend domains. The blue teamer in me desperately hopes there are mitigations & defenses soon. The red teamer in me is jumping up and down like a hyperactive kid on Christmas morning.
NOTE: this post is riddled with spoilers for Tim Medin’s talk… But this is with Tim’s explicit permission. He also was kind enough to proofread this posting to ensure I didn’t misstate anything.
I was very fortunate to get a sneak peak on Tim’s presentation… and I have to say I’m amazed and… still a little confused on why things are the way they are. Bottom line: if you run services in a windows domain environment without *very* strong passwords, you’re toast.
MS provides several utilities to create service accounts… but few people use them. Instead, just about everyone uses the standard user creation tool and then simply binds that account to the service. If you do this — again, almost everyone does — you’re open to the kerberos attack he has discovered and that I’ll outline below. This is a big deal since kerberos is the method that MS Active Directory uses for all authentication. Note: we’ll do a tech segment on this attack during a SecurityWeekly show soon so you can have the full details. Hopefully done by Tim himself!
This attack works because in the MS implementation of kerberos, instead of using a dedicated shared secret, they instead use the NTLM hash for the account! Yep! You read that right. The hash value of account passwords is sent as part of the protocol. Tim’s attack is rather crafty… and simple. He takes several existing tools — none of which require domain or local admin level access – and combines them to have your domain give up these NTLM hashes. The effect of this is simply devastating. With this attack you can:
– Crack the service account password.
– Do this completely offline (ie: not send any packets to the service)
– Launch this attack as any user (it’s worth repeating this: you don’t have to be admin!)
Once you’ve successfully cracked the password for that service account you can:
– Login as that account (if the victim hasn’t disabled interactive logins)
– Forge kerberos tickets (Allows you to impersonate *any* user or group)
Again: it’s worth pointing out this can be done as a *standard* user account
Before you launch this attack you need to be an authenticated user on the target domain. Once you’ve got access… here’s how this can be done.
1) Pull a list of all service accounts used in the domain. The easiest way to do this is like so:
setspn -T DOMAINNAME -F -Q */*
(be sure to only go after user account objects. The computer accounts are typically too tough to crack)
2) Request tickets from the kerberos server for the account you’re targeting. Again, there’s multiple ways of doing this. (powershell is probably the best. Note: these are two separate commands)
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -Arguemtlist “HTTP / YOURKERB SERVER”
3) Extract your tickets from RAM. Yep… several ways to do that, although the ever useful Mimikatz is probably the best
4) Crack the shared “secret”. Pick your tool here too.
tgsrepcarck.py -w WORDLIST -r -1 TicketFromRam
4a) Happy dance!
5) Forge your own kerberose tickets with a tool like kerbertoast. Note for this to work, the process must run as a service. http://blogs.technet.com/b/instan/archive/2011/11/14/the-return-of-pac-mania-aka-some-reasons-why-pac-verification-can-fail.aspx
And a final note from Tim: (told you he read and approved this posting!)
Of course cracking service account passwords is awesome. Often MSSQL will run as DA so it can register the SPN itself. It also runs as a service. Meaning you can offline brute force a DA.
So as you can see, while it’s not the end of Western Civilization as we know it, this attack is a huge deal.
There’s lots of info I’ve glossed over in the interest of time. Attend the talk or watch the vid. This is going to be big.
– Mick @bettersafetynet