Most large enterprises regularly change their Kerberos passwords. Small- to medium-sized businesses, however, might not have changed them since implementing their domain infrastructure. When an attacker wiggles into a network, they can use the golden ticket attack sequence. Active Directory (AD) uses the KRBTGT in the AD domain for Kerberos tickets. If the KRBTGT account password hash is stolen or broken with an attack, the attackers can then grant themselves full access to your network with the necessary authentication.
Changing the Kerberos password is a must-do task if you monitor and maintain an AD infrastructure. If you have had or suspect an intrusion, change that password immediately after the network has been stabilized. Plan on changing it at least twice a year. Performing this action on a regular basis will stop golden ticket attacks. You’ll also want to implement an auditing tool that can detect golden ticket attacks in your environment.
KRBTGT authentication sequence in Active Directory
The KRBTGT account is used in AD in the following sequence:
- A user logs on with AD username and password to a domain-joined computer (usually a workstation).
- The user then requests authentication by sending a timestamp encrypted with the user’s password-based encryption key in the form of a password hash.
- The user account then requests a Kerberos service ticket with Kerberos AS-REQ.
- The Kerberos server (KDC) receives the authentication request, validates the data, and replies with a TGT (Kerberos AS-REP).