Kerberos
What is Kerberos?
Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more "secure" than NTLM by using third party ticket authorization as well as stronger encryption. Even though NTLM has a lot more attack vectors to choose from Kerberos still has a handful of underlying vulnerabilities just like NTLM that we can use to our advantage.
Common Terminology
(TGT) Ticket Granting Ticket
A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.
(KDC) Key Distribution Center
The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.
(AS) Authentication Service
The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.
(TGS) Ticket Granting Service
The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.
(SPN) Service Principal Name
A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.
(KDC LT Key) KDC Long Term Secret Key
The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.
(Client LT Key) Client Long Term Secret Key
The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.
(Service LT Key) Service Long Term Secret Key
The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.
(Session Key) Session Key
Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.
(PAC) Privilege Attribute Certificate (PAC)
The PAC holds all of the user's relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.
AS-REQ w/ Pre-Authentication In Detail
The AS-REQ step in Kerberos authentication starts when a user requests a (TGT) Ticket Granting Ticket from the (KDC) Key Distribution Center. In order to validate the user and create a (TGT) Ticket Granting Ticket for the user, the (KDC) Key Distribution Center must follow these exact steps. The first step is for the user to encrypt a timestamp NT hash and send it to the (AS) Authentication Service. The (KDC) Key Distribution Center attempts to decrypt the timestamp using the NT hash from the user, if successful the (KDC) Key Distribution Center will issue a (TGT) Ticket Granting Ticket as well as a session key for the user.
Ticket Granting Ticket Contents
In order to understand how the service tickets get created and validated, we need to start with where the tickets come from; the (TGT) Ticket Granting Ticket is provided by the user to the (KDC) Key Distribution Center, in return, the (KDC) Key Distribution Center validates the (TGT) Ticket Granting Ticket and returns a service ticket.
Service Ticket Contents
To understand how Kerberos authentication works you first need to understand what these tickets contain and how they're validated. A service ticket contains two portions: the service provided portion and the user-provided portion. I'll break it down into what each portion contains. * Service Portion: User Details, Session Key, Encrypts the ticket with the service account NTLM hash. * User Portion: Validity Timestamp, Session Key, Encrypts with the (TGT) Ticket Granting Ticket session key.
Kerberos Authentication Overview
- AS-REQ - 1.) The client requests an Authentication Ticket or Ticket Granting Ticket (TGT).
- AS-REP - 2.) The Key Distribution Center verifies the client and sends back an encrypted (TGT) Ticket Granting Ticket.
- TGS-REQ - 3.) The client sends the encrypted (TGT) Ticket Granting Ticket to the Ticket Granting Server (TGS) with the Service Principal Name (SPN) of the service the client wants to access.
- TGS-REP - 4.) The Key Distribution Center (KDC) verifies the (TGT) Ticket Granting Ticket of the user and that the user has access to the service, then sends a valid session key for the service to the client.
- AP-REQ - 5.) The client requests the service and sends the valid session key to prove the user has access.
- AP-REP - 6.) The service grants access
Kerberos Tickets Overview
The main ticket that you will see is a ticket-granting ticket these can come in various forms such as a .kirbi for Rubeus .ccache for Impacket. The main ticket that you will see is a .kirbi ticket. A ticket is typically base64 encoded and can be used for various attacks. The ticket-granting ticket is only used with the Key Distribution Center (KDC) in order to get service tickets. Once you give the Ticket Granting Ticket (TGT) the server then gets the User details, session key, and then encrypts the ticket with the service account NTLM hash. Your Ticket Granting Ticket (TGT) then gives the encrypted timestamp, session key, and the encrypted Ticket Granting Ticket (TGT). The Key Distribution Center (KDC) will then authenticate the Ticket Granting Ticket (TGT) and give back a service ticket for the requested service. A normal Ticket Granting Ticket (TGT) will only work with that given service account that is connected to it however a KRBTGT allows you to get any service ticket that you want allowing you to access anything on the domain that you want.
Attack Privilege Requirements
- Kerbrute Enumeration - No domain access required
- Pass the Ticket - Access as a user to the domain required
- Kerberoasting - Access as any user required
- AS-REP Roasting - Access as any user required
- Golden Ticket - Full domain compromise (domain admin) required
- Silver Ticket - Service hash required
- Skeleton Key - Full domain compromise (domain admin) required