AD Starter Scan - Kerberoasting

high Nessus Plugin ID 150480

Synopsis

A privileged account is vulnerable to the Kerberoasting attack.

Description

With Kerberoast, attackers exploit the internals of the Kerberos authentication protocol and generally target privileged domain user accounts. The goal of this attack is to discover the cleartext password of a privileged account, and thereby gain the associated rights. This attack can be performed from inside an Active Directory environment. All an attacker needs is a simple, unprivileged user account.

When the Service Principal Name attribute is set on an account, the underlying security of this account is further affected. Usually, password security policies are configured to lock an account after a few password failures in a row.
However, when this attribute is set, exhaustive password guessing is feasible.

Privileged accounts such as those in the Domain Admins group are usually targeted in Kerberoasting. Getting access to these accounts can lead to a full domain compromise.

By default, this check skips privileged disabled accounts. To also check privileged disabled accounts, please enable thorough tests.

Note: The AD Starter Scan and associated plugins are intended to be used with smaller AD deployments for purposes of preliminary analysis. Accurate preliminary analysis can be expected for AD deployments with up to 5000 users, groups or machines and incomplete results will be returned for larger AD deployments with Nessus, Security Center and Vulnerability Management. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

In order to make sure that privileged accounts are not affected by the Kerberoast attack, different measures can be taken:

- remove the Service Principal Name from the user account
- if a Service Principal Name associated with a user account is required for functional reasons, use an unprivileged account instead
- increase the complexity of the password:
-- use Group Managed Service Accounts (gMSA) instead of user accounts
-- use Smart Cards for sensitive accounts

See Also

http://www.nessus.org/u?d5c4c81f

https://attack.mitre.org/techniques/T1558/003/

http://gost.isi.edu/publications/kerberos-neuman-tso.html

https://adsecurity.org/?p=3466

Plugin Details

Severity: High

ID: 150480

File Name: adsi_kerberoasting.nbin

Version: 1.91

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 3/27/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: High

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: ldap_enum_person/available, ldap_enum_group/available