Kerberos

Kerberos is a computer network authentication protocol that verifies the identities of users or hosts.

What is Kerberos

Kerberos is an authentication protocol, not authorization. So it only identified users who provide a password, but it does not validate to which resources or services this user has access. Once authenticated is can access services. This access is based on tickets, that expire over time.

Kerberos uses UDP or TCP, which sends data in cleartext. Kerberos is responsible for providing encryption and uses ports: UDP/88 and TCP/88.

Tickets

Kerberos works with using tickets. Those tickets are delivered to users to perform serveral actions.

TGS or Ticket Granting Service, used to authenticate against a service, encrypted with service key.
TGT or Ticket Granting Ticket, is presented to KDC to request tickets or TGSs and is encrypted with KDC key.

https://www.tarlogic.com/blog/how-kerberos-works/

Authentication proces

AS_REQ

The user logs on send authenticator, their password is converted to an NTLM hash, which is used to encrypt the TGT ticket. Using current timestamp and cleartexst username. Also called pre-authentication, is not mandatory but enabled by default.

AS_REP

KDC generates temporary session key which is used for further exhanges. It will wait for the TGT user requested and contains user info and copy session key which is now protected by the user’s key.

TGS_REQ

User received response with TGT protected by KDC’s key and session key. Next step is to request a Service Ticket (ST) or TGS ticket with a TGS-REQ message. In this request it contains the name of the service which is the Service Principal Name or SPN. The TGT they just received and the authenticator.

TGS_REP

The KDC will verify the TGS request by checking the session key in the TGT. After validation the TGS-REP message is send with a new session key for exchanges between the user and a service. TGS contains name of service, user info from TGT, copy session key.

AP_REQ

The user decrypts user/service sessions key from the TGS-REP which they can read, unlike the TGS ticket which is encrypted with service secret key. To acces the service it sends the TGS and authenticator which is done by the service using the user/service session key.

AP-REP

Service receives TGS Ticket and authenticator encrypted with users/service session key. A copy of user/service session key is found in the TGS ticket for the service to validate the authenticator with the session key. Service can then read info about user, group memberships and if authentication is succesfull the response is a AP-REP message with ecrypted timestap of extraced session key.

Or in 3 phases:

TGT Request

Authentication Service (AS)

TGS Request

Ticket-Granting Service (TGS)

Service Request

Application Request (AP)

The double hop problem

If you login to a webserver or SERVER A credentials are authenticated but if that SERVER A needs to acces a database on SERVER B on your behalf it cannot forward them to SERVER B without the right configuration. This can occur working with Evil-WinRM.

Kerberoasting

Attack againt service accounts that allows offline password cracking. It needs a valid domain user account and password. A SPN is added when a service registered, its an alias to AD account. Service accounts are utilized with these SPNs but its common to see them tied to User Accounts.

SPN is for example service/hostname_or_FQDN. It could be a web server, network share, SMB or printing service. It identifies services on a network.

A TGS or Service Ticket requested for all available service is encrypted with a service account’s secret key but these are usually 120 chars random passwords, practically impossible to bruteforce. However sometimes there are services executed by user accounts, user accounts passwords are set by humans and more likely to be cracked. SPN accounts use RC4 encryption, but AES is also possible.

Finding user accounts with SPN

Looking for user accounts exposing a service and thus has a SPN. Either using an ldap filter in a powershell script:

Or using powerview

Import-Module .\PowerView.ps1
Get-DomainUser -SPN

Kerberoasting without account password

# Rubeus attack with /nopreauth
Rubeus.exe kerberoast /nopreauth:john.doe /domain:zencorp.local /spn:MSSQLSvc/SQL01:1433 /nowrap

Kerberos Delegations

Kerberos allows a user to authenticate to a services and use it. Kerberos delegation enables that service to authenticate to another services as that user.

Unconstrained Delegation: Allows a service to impersonate a user when accessing another service which is very dangerous. An administrator with SeEnableDelegationPrivilege can set this on a account, a service account cannot modify itself to add this option.
Constrained Delegation: Here the service has the right to impersonate to a user based on a list of services like a Webserver can only relay authentication to DB Server for SQL/HOST/CFS.
Resource-Based Constrained Delegation: This delegation is based on resource level, any account on a rusted list has the right to delegate authentication to access the resource. The resource has the right to modify its trusted list. Any service account can modify the trusted list to allow account to delegate authentication to themselves.

Type

Description

Mechanism

Unconstrained Delegation

Allows a service to request access to any other service on behalf of the user.

Service can request access to any service on behalf of user

Constrained Delegation

Limits the services a delegate can request access to on behalf of the user.

Limited to pre-configured service list and uses (S4U2Proxy)

Resource-Based Constrained Delegation

Allows the resource owner to control which services can delegate access to it.

Resource decides which accounts can delegate to it.

S4U2Proxy

Kerberos extension that allows a service to impersonate a user when requesting acces to another resource. S4U2Proxy is used for delegation, where a service acts on behalf of a user.

Service A has a TGS ticket for user X,
Service A need to acces other resource service B on behalf of user X.
Service A sends request to DC, includes copy user X TGS ticket.
DC check if service A has right to delegate user X credentials to service B.
Service A plus User X have valid ticket for service B.

S4U2Self

When a user authenticates using NTLM, not kerberos it doesn’t get a TGS ticket and so the S4U2Proxy can’t act on behalf. S4U2Self is kerberos extension that allows the service to request a TGS ticket for itself on behalf of the user.

User authenticates using NTLM.
Services requests a TGS Ticket (S4U2Self)
Services uses S4U2Proxy

Printer Bug

Printer Bug is a vulnerability in the MS-RPRN protocol which is used for managing print jobs and printers. This bug can trick a server into authenticating to another machine over SMB.

Using printer bug, force a server like DC to a machine attacker controls. It happens by connecting to print service using MS-RPRN methods.
That server sends TGT or ST to attackers machine. If its DC contains full domain admin privileges.
Full acces for DCSynce and such.

Unconstrained Delegation – Users

Need to compromise an account with TRUSTED_FOR_DELEGATION and GenericWrite to update its SPN list.

Create a fake DNS record that points to attacker’s machine. DNS record will be a fake computer in the AD.
Assign the CIFS SPN (CIFS/our_dns_record) to a compromised account.
When a victim tries to connect to the fake computer (eg SMB). It will ship a copy of its TGT in its TGS ticket
This TGS ticket will be sent to attacker IP which was sset in DNS record. We can then extract the TGT and use it.

Constrained Delegation

Unlike unconstrained, constrained delegation acts on behalf of users but only to specific services that have been allowed. Its more secure and restrictive. For a example a user logging in to a financial application where the backend database server applies permissions instead of the account permissions .

A service account needs Kerberos-constrained delegation enabled so a user’s ticket is used to acces a database.

A TGS Ticket contains an unencrypted part which contains the SPN of the request service. This can be modified and the request will still be valid. In constrained delegation. Using S4U2Proxy we can obtain valid TGS tickets on behalf of users. This way we a valid TGS ticket is obtained for a SPN which is for a service account.

If a service account exposes serval services, its possible to modify the SPN to access a different service like CIFS or SPOOLER.

Impersonate any user

If the constrained delegation allows protocol transition we can impersonate to be anyone. Using S4U2Self which allows a service to obtain a forwardable service ticket to itself on behalf of any user.

Resource-based constrained delegation (RBCD)

RBCD is delegation based allowing delegation settigns to be configured on the target service instead of the service account being used to access resources.

In RBCD, delegation settings are managed on the backend service (the target service that resources are being accessed from.
Instead of an allowed list of SPNs, RBCD relies on security descriptors, which define permissions for specific users or services to act on behalf of other users.
The msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the backend service holds the security descriptor which lists which services are allowed to request tickets for a user.
KDC checks the attribute, if it matches the KDC grants access.

Silver Ticket

Every machine account has an NTLM hash, the hash of the computer represented as SYSTEM$. The NTLM hash acts as a pre-shared key or PSK between domain and workstations. The PSK is used to sign TGS. This ticket is less powerfull than Golden as it can only access that single machine.

Compromise a Service Account by gettings its NTLM hash or encryption key.
With knowledge of secret create a fake PAC, claiming to be a domain admin.
Encrypt the forged ticket with the stolen service account secret.
The service will accept the forged TGS ticket because it can decrypt it using its own password and will read contents of PAC.

To forge a silver ticket you need: NTLM password for Service account or Machine account, SID of domain, target host, SPN, arbitrary username and group information.

Sacrificial Processes

A pass the ticket attack does not touch LSASS which is Sekurlsa::LogonPasswords. When attacking kerberos a failure to create a sacrificial process can result in taking down a service. This happens because of overwiting an existing logon session and require a service restart or machine reboot when it loses its ticket.

A Sacrificial Process creates a new Logon Session, isolating manipulated tickets and preventing impact on critical sessions, so its safer than causing outage.

Experimenting with Kerberos Ticket Formats

Extracting Kerberos tickets with Rubeus and utilizing them in various formats

On recent pentests, I’ve been attempting to leverage unconstrained Kerberos delegation and stolen Kerberos tickets more. This is one of those privilege escalation methods that can fly under the radar – you might not need it to get the job done, but under the right conditions it might provide exactly what you’re looking for. One of the things I found most confusing when starting with stolen TGTs (ticket-granting-tickets) was the different formats you can prepare the tickets in for usage with various offensive tools. This post will cover how you can use tickets snatched with Rubeus with different tools like Impacket, CrackMapExec, Mimikatz and Rubeus itself.

Stealing a Ticket

First off, we need to obtain a ticket before we can play around with formatting. In the test lab, I’ve got a Windows 10 system configured for unconstrained Kerberos delegation:

Delegation setting

Assuming that we’ve already compromised an account with local admin rights to the target, I’ll use Rubeus to extract tickets from memory. This can be done with the monitor command:

Rubeus.exe monitor /interval:1

It may be sufficient to just wait and see what privileged or high-interest users/computers authenticate to our compromised host, or it may be possible to force a sensitive system to authenticate through the printerbug. In this case, I’ve just waited until a domain admin, vizimir, has logged in and pulled their TGT:

Vizimir TGT

Now that we’ve got a ticket, we can explore the various tools that can utilize them and the various ticket formats.

Rubeus (base64 or .kirbi)

We’ll start with the easiest one. Rubeus can import a TGT to the current logon session from either a base64 string or a .kirbi file. We’ll stick with base64 since it’s the most straightforward and also the format in which Rubeus initially presents the ticket to us.

Before we start, let’s verify that our current logon session (as REDANIA\dijkstra) can’t access C$ on the domain controller:

DC Fail

Great, so if we successfully import a Domain Admin’s TGT to our session, we should then be able list folders on the DC.

This is pretty simple with Rubues – all we have to do is supply the base64 ticket to the ptt command:

Rubeus.exe ptt /ticket:<base64 blob>

ptt

We can then use the klist command to verify the ticket has been imported to our session:

Rubeus.exe klist

klist

And there we can see the ticket for vizimir successfully imported to our session. Now if we try accessing C$ on the domain controller again, we see it’s successful!

ptt

This is a simple test of the new privileges, but we could also use tools like PsExec to remotely execute commands now.

One thing to note with utilizing Kerberos authentication is that Kerberos relies on domain names and DNS entries. If we rerun the dir command and target a host by IP address, NTLM authentication will be used and we’ll be back at access denied:

IP Fail

Mimikatz (.kirbi)

Mimikatz can import Kerberos tickets to the current session in the form of .kirbi files. Before starting, we’ll again verify we don’t have rights on the domain controller:

DC Fail

We can use a PowerShell oneliner to write the base64 ticket grabbed with Rubeus out to a file:

[IO.File]::WriteAllBytes("C:\output.kirbi", [Convert]::FromBase64String("<base64 blob>"))

Write Kirbi

Boot up Mimikatz and import the ticket:

kerberos::ptt <path to kirbi file>

Import Kirbi

To test if it worked, we’ll start a new command prompt with misc::cmd and verify we can access the DC:

DC Access

W00t! While we’re here in Mimikatz, we should also be able to perform a dcsync attack:

DCSync

Impacket and CrackMapExec (.ccache)

This is by far my preferred method for using a stolen ticket, but it’s also the one with the most formatting steps. We need to get the base64 ticket into a .ccache file. We can do this by converting from a .kirbi file, using Impacket’s ticketConverter.py.

First, format the base64 ticket to remove line breaks, spaces, etc. and then decode it with the base64 command, writing the output to a kirbi file:

Grab the last Base64 encoded ticket and use it in our local machine to get a shell on the DC as Administrator. So copy this value and paste it into a file called: ticket.kirbi.b64

Before pasting the value in the file remove all the white spaces: https://www.browserling.com/tools/remove-all-whitespace

Next, create another file ticket.kirbi with the Base64 decoded value:

base64 -d ticket.kirbi.b64 > ticket.kirbi

Now, we can convert this ticket to a format that Impacket can use:

ticketConverter.py ticket.kirbi ticket.ccache

If you don’t have Impacket installed: python3 -m pipx install impacket

pipx is a tool where you can install python tools isolated: sudo apt install pipx -y

Now you can run the command with ticketConverter.py

Now, to get a shell we can use Impackets psexec.py :

KRB5CCNAME=ticket.ccache psexec.py support.htb/administrator@dc.support.htb -k -no-pass

base64 -d <base64 ticket file> > <output .kirbi> 

Convert to Kirbi

Convert to .ccache using Impacket:

python3 ticketConverter.py <input kirbi file> <output ccache file>

Convert to ccache

Now that the ticket is in the right format, we’re almost ready to use it. We just need to export the KRB5CCNAME variable and set it to the path of our .ccache file:

export KRB5CCNAME=/path/to/ticket.ccache

Export KRB5CCNAME

Setup complete! Impacket and CrackMapExec have a -k flag specifying to use Kerberos authentication. This will draw from the KRB5CCNAME variable we set. Let’s verify we can access the DC:

CME

Wmiexec

Again, be careful to use DNS names since using IP addresses will fail:

IP Fail