Basics

Top Active Directory Attacks

1. Kerberoasting

Description: An attack method that targets service accounts in an Active Directory environment. Attackers extract service tickets (TGS) for services, which are then cracked offline to retrieve the plain text passwords of the service accounts.
Target: Service accounts, especially those with weak or easily guessable passwords.

2. AS-REP Roasting

Description: This attack occurs when Kerberos pre-authentication is disabled for user accounts. Attackers can request AS-REP responses directly without needing the user’s password. The attacker captures these responses and attempts to crack them offline to get the user’s password.
Target: User accounts with pre-authentication disabled.

3. Pass-the-Ticket (PTT)

Description: An attack where attackers steal valid Kerberos tickets (TGT or TGS) from a compromised machine and use them to authenticate to other services without needing the user's credentials.
Target: Any user who possesses valid Kerberos tickets.

4. Golden Ticket Attack

Description: Attackers create forged Ticket Granting Tickets (TGTs) using the KRBTGT account’s hash. They can then impersonate any user in the domain, including those with elevated privileges.
- Golden Tickets are forged Ticket Granting Tickets (TGTs) used within the Kerberos authentication framework. They allow attackers to impersonate any user, including administrative accounts, by bypassing standard authentication protocols. A Golden Ticket is crafted using the Key Distribution Center (KDC) service's secret key, specifically the KRBTGT account's NTLM hash.
  When a Golden Ticket is presented to a Domain Controller, it is sent as part of the TGS-REQ (Ticket Granting Service Request) to obtain service tickets for any application or resource in the domain. This forgery is significant because, once generated, the Golden Ticket can grant access to any resource without further authentication checks.
  The legitimacy of a Golden Ticket derives from its encryption/signing by the KRBTGT account, allowing it to be accepted by any KDC within the domain. Since the TGT is validated by the KDC using the KRBTGT password hash, it can be decrypted and confirmed as legitimate, provided it passes the valid Ticket Granting Ticket (TGT) and Privileged Attribute Certificate (PAC) checks. The ability to forge Golden Tickets is a critical vulnerability that can lead to extensive unauthorized access within an organization’s network.
Target: Domain Controller environments; any users up to Domain Admin level.

5. Silver Ticket Attack

Description: This type involves forging service tickets (TGS) for specific services using a service account's hash. Silver Tickets allow attackers to access resources without needing to communicate with the KDC.
- Silver Tickets are Kerberos service tickets issued for specific services within an Active Directory environment. Unlike Golden Tickets, which are forged Ticket Granting Tickets (TGTs) used for generic authentication across the entire domain, Silver Tickets are specific to a particular service and can be used to access that service directly. Silver Tickets are created using the service account's secret key, which is derived from the NTLM hash of the account used by the service. This means that if an attacker compromises a service account's credentials, they can generate valid Silver Tickets for that specific service, allowing them to gain unauthorized access to the resources provided by that service without needing to authenticate against the Key Distribution Center (KDC) again.
- When a Silver Ticket is presented to a service, it is validated against the service's secret key. If the ticket is legitimate, the service grants access to the requested resource. Since Silver Tickets do not flow through the KDC, they are less detectable and can provide attackers with persistent access to critical services without raising immediate alarms.
The significant risk associated with Silver Tickets arises from their potential to enable broad unauthorized access when a service account is compromised. Attackers can impersonate users and gain access to sensitive information, making it essential for organizations to securely manage and monitor service account credentials.
Target: Specific service accounts and the services leveraging those accounts.

6. Ticket Granting Service (TGS) Abuse

Description: Exploiting the Kerberos TGS to gain unauthorized access to services by requesting tickets for services without proper authentication, often by stealing tokens or misusing tokens.
Target: Services accessible through Kerberos tickets.

7. DCOM and WMI Attacks

Description: Attackers use DCOM (Distributed Component Object Model) and WMI (Windows Management Instrumentation) for lateral movement across the network, which often ties into Kerberos authentication processes.
Target: Windows services that allow remote management which depend on Kerberos for authentication.

8. SPN (Service Principal Name) Targeting

Description: Attackers can manipulate SPNs to perform Kerberoasting more effectively, targeting high-value services that may have weak passwords.
Target: Services registered in AD that use SPNs.

9. Abusing User Accounts

Description: Attackers look for accounts with privileged access where pre-authentication is disabled, allowing for easier exploitation through various methods.
Target: User accounts with elevated privileges without pre-authentication requirements.

Each of these attacks takes advantage of the Kerberos authentication system, which, while secure, can be manipulated through misconfigurations, weak passwords, and other vulnerabilities within an Active Directory setup. Proper mitigations and security policies are essential defenses against these threats

PreviousPrivilege escalation NextAD

Last updated 6 months ago