Understading Kerberos

Learn how to abuse the Kerberos Ticket Granting Service inside of a Windows Domain Controller

What is Kerberos?

Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more “secure” than NTLM by using third party ticket authorization as well as stronger encryption. Even though NTLM has a lot more attack vectors to choose from Kerberos still has a handful of underlying vulnerabilities just like NTLM that we can use to our advantage.

Ye NTLM se zyada secure mana jata hai kyunki:

Ticket-based authentication use karta hai
Trusted third party (KDC) ka use hota hai
Strong encryption hoti hai
Password network par kabhi directly nahi jata

Phir bhi Kerberos 100% secure nahi hai — isme bhi attacks possible hain:

Kerberoasting
Golden Ticket

Common Terminology

Ticket Granting Ticket (TGT) — A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.
Key Distribution Center (KDC) — The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.

KDC Kerberos ka central authority hota hai.
KDC ke 2 parts:

Authentication Service (AS)
Ticket Granting Service (TGS)

Authentication Service (AS) — The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.

User ka login verify karta hai
User ko TGT (Ticket Granting Ticket) deta hai

Ticket Granting Service (TGS) — The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.

User se TGT leta hai
User ko Service Ticket deta hai

KDC Long Term Secret Key (KDC LT Key) — The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.

KRBTGT service account se related hota hai
TGT encrypt karta hai
PAC sign karta hai
⚠️ Compromise = Golden Ticket attack

Client Long Term Secret Key (Client LT Key) — The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.
Service Long Term Secret Key (Service LT Key) — The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.
Session Key — Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.

KDC generate karta hai
Client ↔ KDC aur Client ↔ Service ke beech use hota hai
Secure communication ke liye

Service Principal Name (SPN) — A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.

Specific service ke liye hota hai (SQL, File Server, Web App)
Service ke password-based key se encrypt hota hai
PAC included hota hai

Kya SPN sabke paas hota hai?

Nahi ❌ ❌ Normal users ke paas SPN nahi hota

SPN sirf hota hai:

Domain Service Accounts ke paas
Computer Accounts ke paas

Example:

Computer account (e.g. SERVER01$)
Service account (e.g. sqlservice, websvc)

Example:
HTTP/webserver.domain.com
MSSQLSvc/sqlserver.domain.com:1433
CIFS/fileserver.domain.com

PAC (Privilege Attribute Certificate) kya hota hai?

Privilege Attribute Certificate (PAC) — The PAC holds all of the user’s relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.

PAC = user ki puri authority ka data

PAC me hota hai:
User SID
Group membership
Privileges
User rights

Working FLOW

1. User login karta hai
2. KDC → TGT deta hai (PAC ke sath)
3. User TGS ko TGT deta hai
4. TGS → Service Ticket deta hai (SPN ke basis pe)
5. User Service ko Service Ticket deta hai
6. Service PAC check karti hai → Access allow/deny

AS-REQ w/ Pre-Authentication In Detail -

The AS-REQ step in Kerberos authentication starts when a user requests a TGT from the KDC. In order to validate the user and create a TGT for the user, the KDC must follow these exact steps. The first step is for the user to encrypt a timestamp NT hash and send it to the AS. The KDC attempts to decrypt the timestamp using the NT hash from the user, if successful the KDC will issue a TGT as well as a session key for the user.

Ticket Granting Ticket Contents -

In order to understand how the service tickets get created and validated, we need to start with where the tickets come from; the TGT is provided by the user to the KDC, in return, the KDC validates the TGT and returns a service ticket.

Service Ticket Contents -

To understand how Kerberos authentication works you first need to understand what these tickets contain and how they're validated. A service ticket contains two portions: the service provided portion and the user-provided portion. I'll break it down into what each portion contains.

Service Portion: User Details, Session Key, Encrypts the ticket with the service account NTLM hash.
User Portion: Validity Timestamp, Session Key, Encrypts with the TGT session key.

Kerberos Authentication Overview -

AS-REQ - 1.) The client requests an Authentication Ticket or Ticket Granting Ticket (TGT).

AS-REP - 2.) The Key Distribution Center verifies the client and sends back an encrypted TGT.

TGS-REQ - 3.) The client sends the encrypted TGT to the Ticket Granting Server (TGS) with the Service Principal Name (SPN) of the service the client wants to access.

TGS-REP - 4.) The Key Distribution Center (KDC) verifies the TGT of the user and that the user has access to the service, then sends a valid session key for the service to the client.

AP-REQ - 5.) The client requests the service and sends the valid session key to prove the user has access.

AP-REP - 6.) The service grants access

Kerberos Tickets Overview -

The main ticket you will receive is a ticket-granting ticket (TGT). These can come in various forms, such as a .kirbi for Rubeus and .ccache for Impacket. A ticket is typically base64 encoded and can be used for multiple attacks.

The ticket-granting ticket is only used to get service tickets from the KDC. When requesting a TGT from the KDC, the user will authenticate with their credentials to the KDC and request a ticket. The server will validate the credentials, create a TGT and encrypt it using the krbtgt key. The encrypted TGT and a session key will be sent to the user.

When the user needs to request a service ticket, they will send the TGT and the session key to the KDC, along with the service principal name (SPN) of the service they wish to access. The KDC will validate the TGT and session key. If they are correct, the KDC will grant the user a service ticket, which can be used to authenticate to the corresponding service.

Attack Privilege Requirements -

Kerbrute Enumeration - No domain access required
Pass the Ticket - Access as a user to the domain required
Kerberoasting - Access as any user required
AS-REP Roasting - Access as any user required
Golden Ticket - Full domain compromise (domain admin) required
Silver Ticket - Service hash required
Skeleton Key - Full domain compromise (domain admin) required

PreviousActive Directory Cheat Sheet

Last updated 1 month ago

Good afternoon

hashtagWhat is Kerberos?

hashtagCommon Terminology

hashtagAS-REQ w/ Pre-Authentication In Detail -

hashtagTicket Granting Ticket Contents -

hashtagService Ticket Contents -

hashtagKerberos Authentication Overview -

hashtagKerberos Tickets Overview -

hashtagAttack Privilege Requirements -