166 – Insecure service configuration - Kerberoast
Description
Due to the operation of the Kerberos service it is possible to extract krbtgs hashes of users within the domain.
Impact
Obtain users hashes.
Recommendation
Configure a logger to alert Kerberoast attacks.
Threat
Unauthorized domain user with valid credentials in the internal network.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: A
- Attack complexity: L
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): N
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: X