0xor1day

Attacking Kerberos

2 min read

Kerberos - default authentication service for Microsoft Windows domains -third party ticket authorization and stronger encryption

  1. TGT (Ticket Granting Ticket): authentication ticket used to request servicce tickets from the TGS
  2. KDC (Key Distribution Center): a service for issuing TGTs and service tickets (AS, TGS)
  3. AS (Authentication Service): issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets
  4. TGS (Ticket Granting Service): takes TGT and returns a ticket to a machine on the domain
  5. SPN (Service Principle Name): identifier given to a service instance - service instance to domain service account
  6. KDC LT Key (KDC long term secret key): KRBTGT service account used to encrypt TGT and sign PAC
  7. Client LT Key (Client long term secret key): based on computer or service account used to check encrypted timestamp and encrypt the session key
  8. Service LT key (Service long term secret key): based on the service account used to encrypt the service portion of the service ticket and sign the PAC
  9. Session key: issued by the KDC whe TFT is issued. User provides the session key and the kdc along with the TGT when requesting a service ticket
  10. PAC (Privilege Attribute Certificate): holds all the user’s relevant info. Sent with TGT to the KDC to be signed by the target LT key and KDC LT key to validate user

AS-REQ w/ pre-auth: -user requests a TGT from the KDC -user is validated with

  1. encrypta timestamp NT hash and sent to Authentication service
  2. Key distrubution center decrypts the timestamp using the NT hash from the user
  3. If successful, the key distribution center will issue a TFT and session key for the user

TGT Contents -TGT is provided by user to the KDC KDC returns - validate TGT and returns a service ticket

Service Ticket Contents -Service portion: user details, session key, encrypts ticket with service account NTLM hash -User portion: validity Timestamp, session key, encrypts TGT session key

Authentication Overview

  1. User sends requests TGT to KDC
  2. KDC returns TGT + session key
  3. User sends Request Ticket + Auth to KDC
  4. KDC returns Ticket + session key
  5. User sends Request service + Auth to Resource Server
  6. Resouce Server returns Server Authentication

Kerberos Tickets Overview

  1. .kirbi = Rubeus -.kirbi - main ticket, base64 encoded
  2. .ccache = Impacket

Graph View