How to Stop the Kerberos Pre-Authentication Attack in Active Directory
Here’s a look at how to safeguard your Active Directory from the known roasting attack on Kerberos Pre-Authentication.
As part of the Kerberos authentication process in Active Directory, there is an initial request to authenticate without a password. This is an artifact left over from Kerberos versions earlier than Kerberos 5. In these earlier versions, Kerberos would allow authentication without a password.
Now, in Kerberos 5, a password is required, which is called “Pre-Authentication.” When looking at the Kerberos exchanges during log-on, you will initially see an AS-REQ (Authentication Server Request) followed by a Kerberos error, which will state that pre-auth is required.
This is where the attack is initiated. But it does require that the user account setting is toggled to negate the need for Kerberos Pre-Authentication. You can see the setting here in Figure 1.
Figure 1. User account configured to not require Kerberos Pre-Authentication.
The attack is referred to as an AS-REP roasting attack. To understand how it works, let’s look at the normal Pre-Authentication process. The encryption key for the AS-REQ process is a timestamp encrypted with the user’s password hash. If the timestamp of the AS-REP (Authentication Server Reply) is determined to be within a few minutes of the KDC’s (Key Distribution Center) time, the KDC will issue the TGT (ticket-granting ticket) via AS-REP.
However, if Pre-Authentication is not required, the attacker can simply send a fake AS-REQ, to which the KDC will immediately send the TGT because there is no password required. The AS-REP will include the TGT, along with some additional data that is encrypted with the user’s key (aka, the password hash), which can be obtained from the data and cracked offline.
Ideally, you don’t want user accounts to bypass this Pre-Authentication, so be sure to look for any users that have this set. You have many options, but the main two are:
1) PowerShell
Get-DomainUser -PreauthNotRequired
2) LDAP (Saved Query)
(&(&(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))))
Of course, Tenable.ad will also flag any user that has this insecure setting, as clearly it opens up an attack pathway into Active Directory, as shown in Figure 2.
Figure 2. Tenable.ad flags user accounts that don’t require Kerberos Pre-Authentication.
Although this is a known attack, which is why Microsoft added the preauthorization control in Kerberos 5, the setting might still be misconfigured for some users in Active Directory.
For more information on this topic and strategies for strengthening your Active Directory security, visit our Tenable.ad product page.
This blog post originally appeared on the Alsid website on July 14, 2020.
Related Articles
Cybersecurity Snapshot: CISA Shines Light on Cloud Security and on Hybrid IAM Systems’ Integration
March 15, 2024Check out CISA’s latest best practices for protecting cloud environments, and for securely integrating on-prem and cloud IAM systems. Plus, catch up on the ongoing Midnight Blizzard attack against Microsoft. And don’t miss the latest CIS Benchmarks. And much more!
Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft
February 1, 2024The latest breach suffered by Microsoft shows once again that detection and response are not enough. Because the source of an attack almost always boils down to a single overlooked user and permission, it’s critical for organizations to have strong preventive security.
Cybersecurity Snapshot: What’s in Store for 2024 in Cyberland? Check Out Tenable Experts’ Predictions for OT Security, AI, Cloud Security, IAM and more
December 29, 2023The new year is upon us, and so we ponder the question: What cybersecurity trends will shape 2024? To find out, we asked Tenable experts to read the tea leaves. Their 2024 forecasts include: A bigger security role for cloud architects; a focus by ransomware gangs on OT systems in critical industries; an intensification of IAM attacks; and much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Active Directory
- Active Directory