🔐

Understanding Kerberos Authentication Protocol

Dec 5, 2024

Kerberos (I): How does Kerberos work? - Theory

Overview

  • Aim: Clarify how Kerberos functions, especially for pentesters.
  • This is the first post in a series focusing on Kerberos basics, attacks, and complex functionalities like delegation.

What is Kerberos?

  • An authentication protocol, not an authorization protocol.
  • Identifies users via a secret password but does not determine resource access.
  • Used in Active Directory to provide user privilege information.
  • Responsibility of individual services to manage access to resources.

Kerberos Items

Transport Layer

  • Uses UDP or TCP for transmitting data in cleartext.
  • Ports: UDP/88, TCP/88 on Key Distribution Center (KDC).

Agents in Kerberos

  • Client or User: Seeks service access.
  • Application Server (AP): Provides the required service.
  • Key Distribution Center (KDC): Main Kerberos service for issuing tickets, housed in Domain Controller.
  • Authentication Service (AS): Issues Ticket Granting Tickets (TGTs).

Encryption Keys

  • KDC or krbtgt key: Derived from krbtgt account NTLM hash.
  • User Key: Derived from user NTLM hash.
  • Service Key: Derived from NTLM hash of service owner.
  • Session Key: Negotiated between user and KDC.
  • Service Session Key: Used between user and service.

Tickets

  • Ticket Granting Service (TGS): Used by users to authenticate against services.
  • Ticket Granting Ticket (TGT): Used to request TGSs from KDC.

Privilege Attribute Certificate (PAC)

  • Included within tickets to indicate user privileges.
  • Signed with KDC key.
  • Services can verify PAC with KDC, although rare.

Messages

  • KRB_AS_REQ: Requests TGT from KDC.
  • KRB_AS_REP: Delivers TGT from KDC.
  • KRB_TGS_REQ: Requests TGS using TGT.
  • KRB_TGS_REP: Delivers TGS from KDC.
  • KRB_AP_REQ: Authenticates user against a service using TGS.
  • KRB_AP_REP: Optional, service identifies to user.
  • KRB_ERROR: Communicates errors.

Authentication Process

  1. KRB_AS_REQ: User requests TGT from KDC.
    • Includes encrypted timestamp, username, service SPN, nonce.
  2. KRB_AS_REP: KDC verifies user and responds.
    • Provides TGT, session key, expiration, PAC.
  3. KRB_TGS_REQ: User requests TGS from KDC using TGT.
  4. KRB_TGS_REP: KDC returns TGS containing service session key.
  5. KRB_AP_REQ: User authenticates with service using TGS.
    • If privileges are correct, user gains access.

Attacks on Kerberos

Overpass The Hash/Pass The Key (PTK)

  • Uses user hash to impersonate a user.
  • Attacker with user hash can access various services.

Pass The Ticket (PTT)

  • Involves using a user's ticket to impersonate them.
  • Requires both the ticket and session key.

Golden Ticket and Silver Ticket

  • Golden Ticket: Builds a TGT using the krbtgt account NTLM hash.
  • Silver Ticket: Similar, but for TGS. Requires service key.

Kerberoasting

  • Crack user account passwords offline using TGS.
  • TGS encrypted with service key, derived from service owner account NTLM hash.

ASREPRoast

  • Crack passwords by exploiting accounts with DONT_REQ_PREAUTH flag.
  • KDC provides encrypted response that can be cracked.

Conclusion

  • This post covered Kerberos authentication and attacks.
  • Future posts will detail practical attacks and delegation.

References

  • Various resources and articles on Kerberos and related attacks.
  • Links to external articles and tools for deeper understanding.

View note sourcehttps://www.tarlogic.com/blog/how-kerberos-works/