Authentication / Old Password for KRBTGT Account

Description

Old Password for krbtgt Account is a type of IT vulnerability that falls under the category of Authentication. It is also classified as CWE-732 (Improper Limitation of a Pathname to a Restricted Directory), according to the Common Weakness Enumeration (CWE) directory. This vulnerability occurs when the krbtgt account password is not changed regularly, thereby allowing attackers to gain access to the domain controller, and possibly other sensitive areas of the IT infrastructure. As specified in the OWASP Testing Guide, this vulnerability is especially dangerous to an organization, since an attacker can use the krbtgt account to impersonate users and gain access to sensitive resources.

Risk

The risk associated with Old Password for krbtgt Account is high, since it allows attackers to gain access to the domain controller and potentially other sensitive information. This can lead to a serious data breach, which can cost an organization significant amounts of money and reputation.

Solution

The solution to this vulnerability is to ensure that the krbtgt account password is changed regularly, preferably on a monthly basis. Additionally, organizations should be sure to monitor the krbtgt account’s activity in order to detect any suspicious activity that may indicate a potential attack.

Example

For example, according to the CVE directory, a Microsoft Windows vulnerability (CVE-2019-1388) was identified which allowed an attacker to compromise the krbtgt account if the password was not changed regularly. The code for exploiting this vulnerability is as follows:

$user = "krbtgt"
$password = "oldpassword"

$securestringPwd = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($user, $securestringPwd)

Invoke-Command -ScriptBlock {
Add-LocalGroupMember -Group "Administrators" -Member $user
} -ComputerName <computername> -Credential $credential