Before starting with Kerberos we should know that “what is Active Directory?”
Organizations typically operate in a domain environment that is managed by Active Directory services. Active Directory is a database and a set of services that connect users with the network resources when they need to complete the work. The domain consists of computers, users, groups and other entities whose data is stored in the Active Directory. The database contains critical information of the environment. Active Directory also authenticates users accessing the domain. Active Directory makes life simple for the administrators and end users while enhancing security of organizations.
Important components of Active Directory
A domain is a network containing multiple entities such as computers, users, and groups that are governed by the policy of one central entity.
A tree is a collection of domains and sub-domains that share a parent child relationship.
A forest is the highest logical boundary level in a domain environment, consisting of several trees or a single domain.
Every entity in the domain environment is represented as an object. The objects are stored in the Active Directory according to this schema.
Kerberos is a built-in protocol used by Microsoft for domain environment authentication. Kerberos is built by trust, if once broken can be abused. Kerberos is a ticket based authentication protocol, that gives user access to services and resources in domain environment. Kerberos allows authentication by an unsecure network while it still allows clients to prove their identity in a secure manner.
Since Windows Server 2000, Kerberos is said to be the default authentication method in domain environment. Kerberos only work with Domain names as direct connections are done via IP with NTLM.
- KDC: Key Distribution Server (KDC) usually It is responsible for the authentication process using Kerberos.
- TGT: The Ticket Granting Ticket (TGT) is a certificate which is encrypted with the KDC private key and can only be decrypted by KDC. It is an alternative to password authentication.
- TGS: The Ticket Granting Server (TGS) is a certification server encrypted with the service provider private key. When a specific service requested then the private key of that service will be used for authentication.
- krbtgt: krbtgt stand for Kerberos service account. It is a special account that is used to create and sign TGTs.
What is kerberoasting??
- TGS is encrypted with the NT hash of the service account. A Kerberoasting attack performs brute-force to crack TGS and get the password of the service account. The owner of a service may be a computer that runs the service or a regular domain account.
1. Authentication Service – The client request TGT from KDC, KDC authenticates the client and provides a TGT signed with his own key.
2. TGT Storage – The client store TGT in a special place in the memory that will get erased if the user logs out. The client can request a new TGT if it is expired.
3. TGS Request – If the client needs a service or resources, he sends a request for the specific TGS for that service while authenticating with the TGT.
4. TGS Response – The KDC verifies that TGT was signed with the own key then generate a TGS which is signed with the service provider’s key. TGS is limited to one use only.
5. Service Request – The service provider verifies the key and authenticates the client without a user and a password.
It is a technique used to brute force the password of the ticket which was generated for a service running with the permission of a user account.
- Pass the Ticket:
It is a technique similar to pass the hash that uses stolen Kerberos ticket to authenticate with a service provider because tickets are not reauthenticated but they can be reused by malicious actors. It is a method of authenticating a system using Kerberos tickets without having access to the account’s password.
- Golden Ticket:
When the krbtgt account is compromised, an opponent can be used to create custom certificates that will be trusted if the details are completely bogus. Golden Tickets are more commonly used as backdoors into the systems.
- AS-REP Roasting:
AS-REP Roasting is an attack that abuses disabled pre-authentication settings for accounts that allow requiring an AS response to brute-force their passwords. AS-REP Roasting occurs when an Authentication Server can grant TGT to an account without the authentication set by default.
Two types of tickets
|Golden Ticket||Silver Ticket|
|Golden Tickets can be obtained for the domain using the (KDC) account.||Silver Tickets can be obtained for services that use Kerberos as an authentication mechanism.|
|The method uses krbtgt NTLM hash, which enables generation of TGTs for any account in Active Directory||They are used to generate tickets to access a particular resource of the system that hosts the service.|
|Once you get the access the Domain controller accepts the golden tickets for 10years.||Silver Tickets are less common because they require cracking service accounts.|