Exploitation - Kerberos tickets usage
Overview
Kerberos
is an authentication protocol used within Active Directory that rely on the use of tickets to identify users and grant access to domain resources. To do so, Kerberos
implements two type of tickets, issued by two distinct services of the Key Distribution Center (KDC)
:
Ticket-Granting Ticket (TGT)
, obtained from theAuthentication Service (AS)
.service tickets
, obtained from theTicket-Granting Service (TGS)
.
A valid TGT
is necessary in order to request service tickets
, which in turn grant access to service accounts (user or machine domain accounts that have a ServicePrincipalName (SPN)
).
Overpass-the-hash
/ Pass the Key (PTK)
are the actions of using, respectively, the NTLM
hash or the Kerberos
secrets (RC4
key, corresponding to the NTLM hash
, or the AES 128/256 bits
keys) of an user to request a Kerberos
TGT
.
Pass-the-ticket (PtT)
is the action of directly using Kerberos
tickets (TGTs
or service tickets
) with out a request to the KDC
. On Windows systems, the tickets can be directly injected in the current logon session while on Linux systems Kerberos
tickets file can be provided to utilities supporting the Kerberos
authentication.
Overpass-the-hash / Pass the Key (PTK)
Plaintext password to RC4 / AES keys
Knowledge of an account Kerberos
keys allows to control which ticket encryption type will be used by the KDC
when overpassing-the-hash / passing the key. As AES
is generally used by the KDC
for legitimate Kerberos
authentication (since Windows Server 2008
), using the AES
keys may help blending in normal authentication traffic.
The tickets encryption type are logged in the Ticket Encryption Type
field of the Windows Security
events 4768: A Kerberos authentication ticket (TGT) was requested
and 4769: A Kerberos service ticket was requested
.
Note that the Kerberos RC4
key corresponds to the NTLM
hash of an account.
The Ticket Encryption Type
field may take the following values:
0x1
DES-CBC-CRC
Disable by default since Windows Server 2008 R2
/ Windows 7
.
0x3
DES-CBC-MD5
Disable by default since Windows Server 2008 R2
/ Windows 7
.
0x11
AES128-CTS-HMAC-SHA1-96
Introduced in Windows Server 2008
/ Windows Vista
.
0x12
AES256-CTS-HMAC-SHA1-96
Introduced in Windows Server 2008
/ Windows Vista
.
0x17
RC4-HMAC
Default encryption type before Windows Server 2008
/ Windows Vista
.
0x18
RC4-HMAC-EXP
Default encryption type before Windows Server 2008
/ Windows Vista
.
The DSInternals
PowerShell ConvertTo-NTHash
and ConvertTo-KerberosKey
cmdlets can be used to convert a plaintext password to, respectively, RC4
and AES128
/ AES256
keys.
Additionally, Rubeus
's asktgt
module supports TGT
requests using a password, and the encryption type can then be specified using the /enctype
option.
TGT Kerberos tickets requests
Knowing any user's Kerberos secret.
The Rubeus
's asktgt
module or the Impacket
's getTGT.py
Python script can be used to request TGTs
using an user's password, NTLM
hash (equivalent to the Kerberos
RC4
key), or Kerberos
secrets.
If RC4_HMAC-MD5
is disabled at a domain level, requesting Kerberos
TGT
will require either the account password or its AES128
or AES256
key. Trying to request a TGT
using RC4
key in such environment will result in a KDC_ERR_ETYPE_NOTSUPP
error.
Using the current user's security context.
A TGT
can be retrieved for the current user using its security context with out the need of knowing the user's credentials.
This is possible due to the way Kerberos
unconstrained delegations
are implemented: the user must provide a TGT
to the principal trusted for the unconstrained delegation
(such as the Domain Controller machine accounts). As the current user's TGT
cannot be forwarded directly (as it may be linked to the current user IP address), a request for a forwardable
(forwarded
attribute set) TGT
is requested by the client. This result in the retrieval client-side of an AP-REQ
message containing a KRB_CRED
struct with the TGT
(encrypted with the key sent by the KDC
for the session).
The Rubeus
's tgtdeleg
or Kekeo
's tgt::deleg
modules can be used to conduct this technique and retrieve a TGT
for the current user:
Automated ticket extraction from Rubeus output.
If needed, the retrieved Kerberos
tickets can be automatically extracted from Rubeus
output (for example from the tgtdeleg
module) using the PowerShell script below:
Pass-the-ticket (PtT)
[Windows / Linux] Direct requests of service tickets
On Windows, the Rubeus
's asktgs
module can be used to request service tickets
using a valid TGT
:
[Windows] Injection into the current session
Kerberos
tickets, in the credential format KRB_CRED
(KIRBI
file), can be injected into the current logon session using mimikatz
or Rubeus
.
Both utilities leverage the Windows LsaCallAuthenticationPackage/KerbSubmitTicketMessage
API and will overwrite the current logon session tickets.
Cobalt Strike
's make_token
and kerberos_ticket_use
beacon
commands may be used to inject tickets with out overwriting the ones cached in the current logon session:
The Kerberos
tickets cached in the current logon session can be listed using the Windows built-in klist
utility, Rubeus
's klist
module, or mimikatz
's kerberos::list
command:
[Linux] Credential cache (ccache)
Kerberos
tickets can be converted from the KRB_CRED
format to the credential cache (ccache)
format to be used with, among others, the Impacket
's Python utilities. If a TGT
is provided, the Impacket
's utilities will try to obtain the necessary service tickets through request to the KDC
.
Note that impackets
utilities can only make use of a single Kerberos tickets
at a time, which limits the possible usage of the utilities with service tickets
.
Refer to the [Windows] Lateral movements
for more information on how to leverage the Impacket
suite for lateral movements in a Windows environment.
The klist
utility form the krb5-user
(Debian
based distro) or krb5
package may be used to list the current tickets:
[Linux / Windows] Keytab
Keytab
are files that contain one or multiple key entries
. Each entry is composed of a principal (Kerberos
realm and account name) and an associated Kerberos
secret (RC4
or AES 128 / 256 bits
keys), stored encrypted. Keytab
files can be used to request Kerberos
tickets without the need of reentering a password, and are thus particularly useful for service accounts interacting with a directory service from non-Windows systems. Keytab
files can be retrieved, for example, from Linux systems with service accounts using the Kerberos protocol.
The keytabextract.py
Python script can be used to extract and decrypt the Kerberos
secrets, RC4
(corresponding to the NTLM
hash) or AES
keys, from a given keytab
file:
Additionally, the kinit
, ktutil
and klist
utilities form the krb5-user
(Debian
based distro) or krb5
package may be used to interact with keytab
files. Note that a keytab
file is fully independent of the computer it's been created on, its filename, and its location in the file system.
References
https://www.sstic.org/media/SSTIC2014/SSTIC-actes/secrets_dauthentification_pisode_ii__kerberos_cont/SSTIC2014-Article-secrets_dauthentification_pisode_ii__kerberos_contre-attaque-bordes_2.pdf https://www.ssi.gouv.fr/uploads/IMG/pdf/Aurelien_Bordes_-Secrets_d_authentification_episode_II_Kerberos_contre-attaque--_planches.pdf https://remivernier.com/index.php/2018/07/07/kerberos-exploration/ https://docs.microsoft.com/en-us/archive/blogs/openspecification/understanding-microsoft-kerberos-pac-validation https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It.pdf https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html https://gist.github.com/HarmJ0y/dc379107cfb4aa7ef5c3ecbac0133a02 https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a https://github.com/GhostPack/Rubeus https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/ConvertTo-KerberosKey.md https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/ConvertTo-NTHash.md
Last updated