‘Windows implementation of Kerberos protocol is flawed’ – update

A security researcher writes that Kerberos, an authentication protocol in Windows, among others, has flaws that allow a malicious user, among other things, to grant himself administrator privileges. The leak would be unstoppable.

The Kerberos protocol makes it possible to authenticate users on a network without sending passwords. A key distribution center is used for this, which provides the necessary keys. The researcher of the Dfir-Blog has managed to use the password of an account called ‘krbtgt’ to create a secret key. This account is created by default and is marked by Microsoft as a ‘service account’. The name cannot be changed and the account cannot be deleted. It is recommended to change the default password, but according to the researcher this almost never happens.

With the created key, the key distribution center can then be persuaded to grant further authorizations. After this it would be possible to perform all kinds of actions, including creating new users. Creating the key encrypted with the deprecated rc4 algorithm is quite simple, as it is equal to the hash of the ntlm-user.

According to the researcher, it is not possible to counter the attack, “because this is how Kerberos works.” The best option would be to protect privileged accounts and use Microsoft techniques such as Protected User groups and the Credential Guard. The Register has asked Microsoft for comment and the company says it is aware of the issue.

Update, December 16: This scenario assumes that the attacker already has access to the domain controller. Nor is it a new flaw in Kerberos, the techniques have long been known as ‘Golden Ticket’ and ‘Pass the Hash’. By means of an update on his blog, the researcher indicates that this is an extensive writeup and not new findings.