Blog

Hello folks!!! In this series of Active Directory, I am back with a new blog regarding Kerberos authentication and attacks. We will start with some basics of Kerberos and then move to the attacking part. If you have any doubts regarding any topic or if you think that the topics are not well explained, feel free to contact me.

What is Kerberos

Kerberos is named after a famous three-headed guard dog in the Greek methodology. Basically, it is an Authentication Protocol for the windows operating system, developed by the Massachusetts Institute of Technology for a project called Athena. Kerberos is not an Authorization protocol, it only verifies the identity of the users, it does not tell what resources a user can access.

Some of the Agents involve in Kerberos:

1. Server : The server which the user wants to access for the service or resource.
2. Client : The server which acts on behalf of the user for accessing the resource from the server.
3. Key Distribution Centre : The Key Distribution centre or KDC is a truted authority in Active Directory which is responsible for providing the service to the users by providing them tickets and session keys , and is installed on every Domain Cotroller.

Tickets Provided by KDC:

1. TGTs : Ticket granting Tickets are the tickets being deliverd by the KDC , on the request of user for the TGTs.It includes username, Session Key, Expiration Date and PAC with user privileges.
2. TGS : Ticket Granting Service is the tickets which users uses for the taking the service from any service account. It includes
   username, Session key, Expiration Date of the TGS and PAC, signed by KDC.

PAC or Privilege Attribute Certificate is an extension to the Kerberos ticket that contains the privilege of the user. When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and used to determine their level of privileges without reaching out to the domain controller to query for that information.

Keys used in Kerberos:

1. User Key: It is the ntlm hash of the user which want to access the service.
2. Service Key: It is the nlm hash of the service account.
3. Session Key: It is the key which is provided when the client is interacting eith the KDC.
4. Service Session Key: It is the key provided when the client is interacting with the service account server.
5. Krbtgt Key: It is the ntlm hash of the krbtgt account.

Authentication Process

The Kerberos Authentication consist of five steps, consider the following diagram.

1.KRB_AS_REQ: In this step, the client requests the TGT from the key distribution centre. IN this process, the NTLM hash of the user with a timestamp is being sent to the KDC for the pre-authentication purpose.

2.KRB_AS_REP: IN this step, first KDC verifies the identity of the user with the given hash and timestamp, and then it replies with the TGT to the user.

3.KRB_TGS_REQ: In this step, the client after getting the TGT, request the TGS. In this process. the timestamp and TGT are being provided to the KDC.

4.KRB_TGS_REP: The KDC will reply with the TGS, after getting the request for it.

5.KRB_AP_REQ: IN the last step, the client will access the service from the application server with the help of TGS.

This is the whole authentication process involved in Kerberos. Much for the theory part, now we will move to the attacking part.

Attacks against Kerberos Protocol

1. Kerberos BruteForce:

In this attack basically, we do a brute force attack against the Kerberos protocol, in order to get the usernames and passwords of the users. You only need connectivity with the DC, no user-level privileges are required for this. However this attack can be led to blocking of the users, so you need to be careful while performing this attack.

Tool: Kerbrute

Command: python kerbrute.py -domain -users users_file -passwords password_file -dc-ip ip_of_the_DC

2.AS_REPRoast:

In the first step of authentication, we have seen that after doing the pre-authentication, KDC will reply to the TGT. But sometimes the DONT_REQ_PREAUTH flag is set in some users so that the KDC does not check for users passwords and will reply to any of the requests for TGT. So, in that case, we can request for TGT with a set of usernames and if by chance any user has that flag set then the KDC will reply with the TGT, AS_REP, which will contain the user hash. YOu only need connectivity with the KDC, no need for extra privileges are required.

Tool: impacket-GetNPUsers.py

Command: python GetNPUsers.py domain_name/ -dc-ip ip_of_the_DC -usersfile usernames -format hashcat -outputfile filename

3.Kerberoasting:

In step four, we have seen that the client will request the TGS in order to get access to the service account. The main goal of the kerberoasting is to get the TGS on behalf of any user so that the attacker can get the NTLM hash of the service account. You need user-level access which can request for TGS for kerberoasting to take place.

Tool: Imapacket-GetUserSPNs.py

Command:python GetUserSPNs.py domain_name/user_name:password -outputfile file_name

There are two more attacks against Kerberos, the Golden Ticket attack and the Silver Ticket attack, will talk in more detail later.

                                   Happy Hacking