1. Introduction
Kerberos pre-authentication is disabled on a user account, creating a vulnerability known as AD Starter Scan – Kerberos Pre-authentication Validation. This allows an attacker to potentially guess user passwords faster than with standard brute-force methods. Systems running Active Directory are typically affected. A successful attack could compromise confidentiality of user credentials and allow unauthorized access to the network.
2. Technical Explanation
Active Directory uses Kerberos for authentication, but older configurations may have pre-authentication disabled. An attacker can exploit this by sending an AS-REQ request to the KDC (Key Distribution Center) on behalf of a user without needing their password initially. The KDC responds with an encrypted TGT (Ticket Granting Ticket), which the attacker attempts to decrypt offline using brute force, as part of the AS-REP Roasting attack.
- Root cause: The
DONT_REQ_PREAUTHflag is not set in the userAccountControl attribute, indicating Kerberos pre-authentication is disabled for that account. - Exploit mechanism: An attacker identifies users with
DONT_REQ_PREAUTHenabled and requests a TGT from the KDC. They then attempt to crack the encrypted portion of the AS-REP response offline. - Scope: Active Directory user accounts, particularly legacy accounts or those configured without modern security best practices.
3. Detection and Assessment
You can confirm vulnerability by checking user account settings in Active Directory. A thorough scan will identify all affected accounts.
- Quick checks: Use PowerShell to check the
userAccountControlattribute for a specific user:Get-ADUser -Identity "username" -Properties userAccountControl | Select-Object SamAccountName, userAccountControl. Look for the absence of theDONT_REQ_PREAUTHflag (typically represented as a value not containing 0x80). - Scanning: Nessus plugin ID 14c411d0 can identify accounts without Kerberos pre-authentication enabled.
- Logs and evidence: No specific logs directly indicate this vulnerability, but monitoring for unusual AS-REQ requests could be indicative of an attack attempt.
Get-ADUser -Identity "username" -Properties userAccountControl | Select-Object SamAccountName, userAccountControl4. Solution / Remediation Steps
Configure accounts to use Kerberos pre-authentication. This is the default setting in most modern Active Directory environments, but legacy accounts may require manual configuration.
4.1 Preparation
- No services need to be stopped for this change.
- Roll back plan: If issues occur, revert the user account settings using PowerShell or the Active Directory Users and Computers console.
4.2 Implementation
- Step 1: Use PowerShell to enable Kerberos pre-authentication for a specific user:
Set-ADUser -Identity "username" -Clear $null -Add @{userAccountControl = ($((Get-ADUser -Identity "username").userAccountControl) -bor 0x80)}. - Step 2: Repeat Step 1 for all identified vulnerable accounts. Alternatively, use a script to automate the process across multiple users.
4.3 Config or Code Example
Before
Get-ADUser -Identity "username" -Properties userAccountControl | Select-Object SamAccountName, userAccountControlSamAccountName userAccountControl----------- ------------------username 512
After
Get-ADUser -Identity "username" -Properties userAccountControl | Select-Object SamAccountName, userAccountControlSamAccountName userAccountControl----------- ------------------username 592
4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this issue. Least privilege reduces the impact of compromised accounts, while regular security audits identify misconfigurations like disabled pre-authentication.
- Practice 1: Implement least privilege principles to limit user access and reduce the potential damage from a successful attack.
- Practice 2: Conduct regular Active Directory security audits to identify and remediate misconfigured accounts.
4.5 Automation (Optional)
A PowerShell script can automate enabling Kerberos pre-authentication for multiple users.
# Get a list of users without pre-authentication enabled
$users = Get-ADUser -Filter 'userAccountControl -notlike "*0x80"' -Properties userAccountControl
# Loop through each user and enable pre-authentication
foreach ($user in $users) {
Set-ADUser -Identity $user.SamAccountName -Clear $null -Add @{userAccountControl = ($user.userAccountControl -bor 0x80)}
Write-Host "Enabled Kerberos pre-authentication for $($user.SamAccountName)"
}5. Verification / Validation
Confirm the fix by rechecking user account settings in Active Directory. A smoke test should verify normal authentication functionality.
- Post-fix check: Run
Get-ADUser -Identity "username" -Properties userAccountControl | Select-Object SamAccountName, userAccountControland confirm the output shows a value containing 0x80 in theuserAccountControlattribute. - Re-test: Re-run the Nessus scan (plugin ID 14c411d0) to verify that the account is no longer flagged as vulnerable.
- Smoke test: Log in with the affected user account to confirm normal authentication functionality.
- Monitoring: Monitor Active Directory event logs for failed login attempts or unusual AS-REQ requests, which could indicate an ongoing attack.
Get-ADUser -Identity "username" -Properties userAccountControl | Select-Object SamAccountName, userAccountControl6. Preventive Measures and Monitoring
Update security baselines to enforce Kerberos pre-authentication for all new accounts. Implement CI/CD pipeline checks to prevent misconfigurations during account creation or modification.
- Baselines: Update your Active Directory security baseline or Group Policy Object (GPO) to require Kerberos pre-authentication by default.
- Pipelines: Add a check in your CI/CD pipeline to ensure that all new user accounts are created with Kerberos pre-authentication enabled.
- Asset and patch process: Review Active Directory configurations regularly as part of your overall asset management and patch process.
7. Risks, Side Effects, and Roll Back
Enabling Kerberos pre-authentication should not cause service disruptions in most modern environments. However, older systems or applications may have compatibility issues.
- Roll back: If issues occur, revert the user account settings using PowerShell or the Active Directory Users and Computers console by removing the 0x80 flag from the
userAccountControlattribute.
8. References and Resources
Links to official advisories and documentation related to this vulnerability.
- Vendor advisory or bulletin: https://www.tenable.com/blog/new-in-nessus