TIM MEDIN

@TimMedin tim@redsiege.com

Kerberos &
Attacks 101
slides: redsiege.com/kerb

@RedSiege
TIM MEDIN
Principal Consultant, Founder – Red Siege
SANS Author – 560
SANS Instructor – 560, 660
IANS Faculty
SANS MSISE Program Director
Pen Tester for more than a decade
3
 DEFINE: KERBEROS
1. Protocol used for Authentication in a Windows domain
• There is a slight bastardization done with MS
Kerberos as compared to the MIT Kerberos
2. Three headed dog who guards the entrance to the
underworld
• Prevents the dead from escaping and the living
from entering (seems fitting)
redsiege.com 4
 KERBEROS
INTRODUCTION
In a Microsoft AD domain, the main authentication
mechanism is Kerberos.
Kerberos is a network authentication protocol based on tickets. The protocol allows 2 parties (a client
and a server for example) to authenticate to each other over an insecure network channel, provided
that both parties trust a third party; the Kerberos server!
The main components of a Kerberos transaction are:
The KDC (Key Distribution Center)
The client requesting access
The service the client is attempting to obtain access to
While Kerberos, is the preferred mechanism, Windows will revert to NTLMv2 if Kerberos is not
available (unless explicitly disabled).
redsiege.com 5
 KERBEROS BASICS
Kerberos uses shared secrets for authentication
In a Windows domain there is only one, the
NTLM Hash
The password hash is used to encrypt everything in MS Kerberos

redsiege.com 6
 HOW IT WORKS
Before you can authenticate to anything you need a Ticket Granting
Ticket (TGT)
TGT is only used with the KDC
I can decrypt your
I'm Tim, and I need to authenticate to
communication using your
something. Here is a request encrypted
NTLM hash. Here is a TGT
using my password hash
encrypted with your NTLM
Hash

KDC
Key Distribution Center
redsiege.com (Windows Domain Controller) 7
 AUTH TO SERVICE
TGT is used to request a ticket for a service
This is where the Golden Ticket attack rewrites the TGT (more later)

I need to authenticate to a service via Sure, here it is. I don't check

Kerberos. Can I get a ticket for another if you have permissions on
service. Here is my TGT to verify my the target service. I leave
identity. that up to the service. I have
enough to do.

KDC
Key Distribution Center
redsiege.com (Windows Domain Controller) 8
 AUTH TO SERVICE (CONT)
The Server half of the ticket is sent to the remote system
If the server can decrypt it , it then it checks* the PAC
PAC is signed with the service's key and krbtgt's key
I can decrypt this ticket and the
Here is some stuff I can't read, but the HMAC signature using my hash as
KDC says this should verify me. the key is good. I see your user info
in this ticket, but before I authorize
you I may* need to verify the details

Member Server

redsiege.com 9
 PAC
PRIVILEGE ATTRIBUTE CERTIFICATE

Contains all the relevant

user information

redsiege.com 10
 SERVICE TICKET
There's more to the ticket, but these are the important parts
Server portion
User details
Session Key (same as below)
Encrypted with the service account's
NTLM Hash

redsiege.com 11
 SPN
SPN is the Service Principal Name, and is the mapping between
service and account
Your system doesn't know (or need to know) the account running the
service
The KDC does need this info so it can properly encrypt the server
portion of the Service Ticket
Setspn.exe is used to map an AD account to a service

redsiege.com 12
 SPN

Before I can send a ticket, I

I need to talk to the mail need to encrypt it using
server on cliff.medin.local the target service's hash

Service Account
MAIL/cliff.medin.local mailsvc
HTTP/charlotte.medin.local websvc
KDC MSSQL/db01.medin.local sqlengine

redsiege.com 13
 THREE LONG TERM KEYS
SPN is the Service Principal Name, and is the mapping between
service and account
KDC long-term secret key (derived from krbtgt account password)
The KDC long-term secret key is based on the infamous krbtgt's service account
Used to encrypt the TGT (AS-REP) and sign the PAC (AS-REP and TGS-REP)

Client long-term secret key (derived from client account password)

The client long-term secret key is based on the computer or user account
Used to check encrypted timestamp (AS-REQ) and encrypt session key (AS-REP)

Target (service) long-term secret key (derived from service account password)
The client long-term secret key is based on the computer or service account
Used to encrypt service portion of the ST (TGS-REP) and sign the PAC (TGS-REP)

redsiege.com 14
 AS-REQ (WITH PRE-AUTH)
sec560\erik
1. AS-REQ
Pa$$w0rd
2. AS-REP
rc4_hmac_md5 1A4B1757588CAB6298E29E91C06DF58D
TGT
KDC
TGT - Encrypted using KDC LT key (krbtgt NT hash) 3. TGS-REQ
Start / End / MaxRenew: 05/12/2018 07:12:18 ; 05/12/2018 17:12:18 ; 4. TGS-REP
12/12/2018 07:12:18 ; Privilege Attribute Certificate (PAC) ST (TGS)
Service Name: krbtgt; sec560.private
Username: erik
Target Name: krbtgt; sec560.private.com
SID: S-1-5-21-409 … <snip>
Client Name: erik; sec560.private Groups: Administrators … <snip>
Flags: 40e10000
Session Key: 0x00000012eb212eb23ca12eb23c
5. Usage
Signed using Target LT Key
45eb4124af9010bf13f…<snip> File
Signed using KDC LT Key Server
Illustration inspired by "Abusing Microsoft Kerberos - Sorry you guys don't get it," Benjamin Delpy (Blackhat USA 2014)
redsiege.com nviso.eu 15
 TGT AND PAC
1. AS-REQ
sec560\erik
Pa$$w0rd
2. AS-REP
rc4_hmac_md5 1A4B1757588CAB6298E29E91C06DF58D
TGT
KDC
AS-REQ with pre-authentication 3. TGS-REQ
• As a first step, the user will use his / her NT hash to encrypt a 4. TGS-REP
timestamp that is subsequently sent to the AS (Authentication ST (TGS)
Server), which is part of the Kerberos KDC (Key Distribution Center).

• The KDC attempts to decrypt the timestamp using the user's NT hash.
If this is successful, a TGT (encrypted using krbtgt NTLM hash) and 5. Usage
Client / TGS session key (encrypted using user password hash) are File
returned in the response. Server
redsiege.com nviso.eu 16
 ST (SERVICE TICKET)
sec560\erik 1. AS-REQ
Pa$$w0rd

2. AS-REP
rc4_hmac_md5 1A4B1757588CAB6298E29E91C06DF58D

TGT
Service Ticket (TGS) KDC
3. TGS-REQ
Client Portion Server Portion
(encrypted using Client / TGS session key) (encrypted using Target LT key) 4. TGS-REP
ST
Privilege Attribute (TGS)
• Validity time of the ticket
• Session key
Certificate (PAC)
• … Username: erik
SID: S-1-5-21-409 … <snip>
5. Usage
Signed w Target LT Key File
Signed w KDC LT Key Server

Illustration inspired by "Abusing Microsoft Kerberos - Sorry you guys don't get it," Benjamin Delpy (Blackhat USA 2014)
redsiege.com nviso.eu 17
 PAC VALIDATION
sec560\erik 1. AS-REQ
Pa$$w0rd

2. AS-REP
rc4_hmac_md5 1A4B1757588CAB6298E29E91C06DF58D

A few more words on the PAC TGT

KDC
• Whenever the target service receives the server portion of a Service 3. TGS-REQ
Ticket (which it can decrypt using its "Target Long Term key"), it can 4. TGS-REP
read out the contents of the PAC. The PAC is not always validated: ST
(TGS)
• For TGT - The PAC is only validated when the TGT is more than 20
minutes old
• For TGS - The PAC is typically not validated for services on modern
Windows 5. Usage
File
Server

Illustration inspired by "Abusing Microsoft Kerberos - Sorry you guys don't get it," Benjamin Delpy (Blackhat USA 2014)
redsiege.com nviso.eu 18
 GOLDEN TICKET
A Golden Ticket is "nothing more" than a "special" TGT
created by an attacker.
In order to create a valid TGT (with a valid PAC), we would require:
• The Target LT Key
• The KDC LT Key
In case of a TGT, these keys are identical (krbtgt). We would thus have to obtain the
NTLM hash of the krbtgt account (RC4) or the AES key (AES)!

redsiege.com nviso.eu 19
 TICKET FLOW
When we would use a Golden Ticket, the first interaction is a TGS-
REQ (request for a Service Ticket) using the forged TGT (the
Golden Ticket). There is no prior credential submission or AS-REQ
/ AS-REP! TGT
KDC
GOLDEN TICKET (TGT)
3. TGS-REQ
Start / End / MaxRenew: 05/12/2018 07:12:18 ; 05/12/2028 17:12:18 ;
12/12/2028 07:12:18 ;
4. TGS-REP
Privilege Attribute Certificate (PAC)
Service Name: krbtgt; sec560.private
Username: DOMAIN.ADMIN
ST (TGS)
Target Name: krbtgt; sec560.privateSID: S-1-5-21-409 … <snip>
Client Name: domain.admin; sec560.private
Groups: Domain Admins … <snip>
Flags: 40e10000
Session Key: 0x00000012eb212eb23ca12eb23c Signed using Target LT Key 5. Usage
45eb4124af9010bf13f…<snip>
Signed using KDC LT Key File
Server
redsiege.com nviso.eu 20
 GOLDEN TICKET PROPERTIES

So what makes a Golden Ticket "special"?

• It's created *WITHOUT* any interaction with the DC (it's "homemade ☺").
This is possible because Kerberos is a "stateless" protocol (it thus not keeps
track of all previously created TGT's).
• As discussed in the previous slide, though, it would require us to obtain the
KDC Long Term key (which should not be easy to get!).
• It's typically a TGT for an administrative account (e.g. RID 500 in the domain
or a Domain Administrator).
• It's typically valid for a long time (10 years by default).

redsiege.com
 GOLDEN TICKET CREATION
Golden Ticket - Step 1

Using Mimikatz, a golden ticket can

be generated using the following
information:

• KDC LT key (e.g. KRBTGT NTLM

hash)
• Domain admin account name
• Domain name
• SID of domain admin account

All of these values can be obtained

by any user in the domain, except
for the KDC LT key!

redsiege.com nviso.eu
 GOLDEN TICKET CREATION
Golden Ticket - Step 2

In this second attack step,we

can now re-inject the ticket in
Windows memory, thereby
readying for use when we try to
attempt accessing a service that
relies on Kerberos
authentication (e.g. accessing a
Windows share).

Once a golden ticket is generated, the only way a company can mitigate the attack is to change the password of the
krbtgt account twice (It has a hard-coded password history of 2 + the KDC will also attempt to validate a TGT with
hashes in the password history!). This will, however, invalidate all tickets and could have production impact!
redsiege.com nviso.eu
 SKELETON KEY
Another AD persistence attack we would like to highlight is the Skeleton Key attack, which has also been
added as a built-in module in Mimikatz. A skeleton key is a key that opens all the locks in a building. In the
same way a Skeleton Key can "unlock" all systems in the domain!

How does the "Skeleton Key" attack work?

• The Skeleton Key only works for Kerberos RC4 encryption;

• The Skeleton Key is a backdoor that runs on the Domain Controller (in memory) allows single password
(the skeleton password) that can be used to log on to any account;

Technically, the Skeleton Key does this by manipulating the way the encrypted timestamp (AS-REQ) is validated. As
a reminder: in RC4, the timestamp is encrypted using the NT hash of the user by the client, after which the domain
controller attempts to decrypt the timestamp using the user NT hash. When the Skeleton Key is installed, the
domain controller will attempt to decrypt the timestamp using the user's NT hash AND the skeleton key NT hash
(mimikatz default: 60BA4FCADC466C7A033C178194C03DF6, which is password "mimikatz").

• As it runs in memory, it does not persist by itself (but can, of course, be scripted or persisted)
redsiege.com 24
 SKELETON KEY
Skeleton Key in action

In the screenshot on the left, we can

observe Mimikatz installing a "skeleton
key" backdoor on the domain
controller.

Note the simplicity of the commands...

This will now allow anyone to
authenticate as any user in the domain
with the skeleton key password
("mimikatz").

redsiege.com 25
 KERBEROASTING
The ST from the TGS-REP is encrypted using the service
account's password

This allows us to offline crack the service password

Guess service password -> hash -> attempt decryption -> repeat
All we need is tickets!
Remember, the KDC doesn't verify our permission to access the service, so we can request
all the tickets!
redsiege.com 26
 REQUESTING TICKETS
The system doesn't have to be…
Accessible
Available Here is my TGT, Sure thing! Your TGT looks good.
Can I get a ST for The services will authorize you,
Exist* Sql01 not me. I can't keep track of all
Web01 that
Mail01
…

redsiege.com 27
 EXTRACTION AND CRACKING
We need to extract or capture the tickets to cracking

Mimikatz supports this, but evasion can be a problem

Invoke-Mimikatz from PowerSploit and Empire

We can crack with John or Hashcat

(Tim wrote a cracker… it was horrible)

redsiege.com nviso.eu 28
 SILVER TICKET
Forged service ticket
Service tickets are encrypted and singed using the service account password
If we can get this hash (or password), we can create a new ticket
We bypass asking the KDC for a TGS

Similar to Golden Ticket, but the forgery is at a different step

redsiege.com 29
 SILVER TICKET
Silver Tickets are forged Service Tickets. While the "golden ticket" is a bit more infamous, Silver Tickets represent a
serious risk: They do not require us to compromise the krbtgt account AND can be more subtle!

Service Ticket (TGS) In a Silver Ticket attack, we forge a

Service Ticket with a custom PAC (to
Client Portion Server Portion escalate privileges). This Service Ticket
(encrypted using Client / TGS session key) (encrypted using Target LT key)
is forged using the Target LT Key (e.g.
Privilege Attribute Certificate the NTLM hash of the service).
• Validity time of the ticket
• Session key
(PAC)
Username: erik As we don't have the KDC LT key, we
• …
SID: S-1-5-21-409 … <snip> cannot create a valid, complete, PAC
signature. However, PAC validation is
Signed w Target LT Key usually disabled, which means there is
Signed w KDC LT Key an opportunity!

redsiege.com nviso.eu 30
KERBEROAST & SILVER TICKET DEMO
KERBEROAST & SILVER TICKET DEMO

Attacker is just a normal user, no admin rights

KERBEROAST & SILVER TICKET DEMO
CRACKING TICKETS

Cracking…
• Use Hashcat mode 13100
• John can crack as well, but Hashcat is preferred
• Don't use my cracker
• It sucks
• It's slow
• I get too many open tickets on GitHub
• It was first, but it is slow and it sucks

hashcat64.exe -a -m 13100 SPN.hash /wordlists/rockyou.txt

This is a simple example, not a Hashcat overview
 KERBEROAST & SILVER TICKET DEMO

If the account is privileged, that's fantastic, but we can use it even if it isn't!
KERBEROAST & SILVER TICKET DEMO
FORGING SILVER TICKET
kerberos::golden
/domain:medin.local
/sid:S-1-5-21-515111615-443038644-2980957688
/groups:513,512,520,518,519
/target:sql01.medin.local:1433
/service:MSSQLSvc
/ticket:sql01.medin.kirbi Service's
/rc4:f2cddb01eb3bd8499f409dc938b6e2b7 Password
/ptt
/id:1106
Hash
/user:tm
/ptt
KERBEROAST & SILVER TICKET DEMO

Let's fake my RID kerberos::golden

...
• 1106 is "tm" /id:1059
• 1159 is "bob" /user:tm
KERBEROAST & SILVER TICKET DEMO
KERBEROAST & SILVER TICKET DEMO
KERBEROAST & SILVER TICKET DEMO
KERBEROAST & SILVER TICKET DEMO

Let's fake my Groups klist purge

mimikatz.exe
• 512 – Domain Admins kerberos::golden
• 513 – Domain Users ...
• 518 – Schema Admins /groups:512,513,518,519
/id:1106
• 519 – Enterprise Admins /user:tm
KERBEROAST & SILVER TICKET DEMO
KERBEROAST & SILVER TICKET DEMO
 TROLLMODE ON
Let's make stuff up…
klist purge
mimikatz.exe
kerberos::golden
...
/groups:512,513,518,519
/id:9999
/user:yourmom
redsiege.com 45
KERBEROAST & SILVER TICKET DEMO
 PASS-THE-TICKET
Use existing ticket
Essentially, you are just re-using an existing good ticket
If you have access to a system, you can reuse that access
…or you can dump the ticket and reuse it

redsiege.com 48
 PASS-THE-TICKET
In a pass the ticket attack, access is gained to a resource of a system (for example the administrative share) by using
a Kerberos ticket that was generated or obtained from a compromised machine (TGT or TGS)

PtT with Mimikatz

Pass-the-Ticket affects all Windows platforms
relying on Kerberos. A good example of a
tool that support Pass-the-Ticket attacks is
Mimikatz!

In the screenshot on the left, we can see

Mimikatz in use on a compromised machine,
where it is attempting to export & store
available tickets.

redsiege.com 49
 PASS-THE-TICKET

After retrieving a TGT, it can be used to authenticate as an

Administrative user.

redsiege.com 50
 OVER-PASS-THE-HASH
Works even if NTLM auth is disable everywhere
Active Directory uses the NTLM hash as the key for Kerberos
If we have the hash (or password), we can peform the AS-REQ still (

redsiege.com 51
 OVER-PASS-THE-HASH
LSASS (kerberos.dll)
1. AS-REQ
d44d5e0591cb0f6ecb6d6a86ec9a12da
2. AS-REP

rc4_hmac_md5 d44d5e0591cb0f6ecb6d6a86ec9a12da TGT

KDC
The diagram on this slide provides an overview of 3. TGS-REQ
how Pass-the-Hash (PtH) can still be an issue even if
NTLM is fully disabled in an environment! 4. TGS-REP
ST (TGS)
In this case, we rely on rc4_hmac_md5 as the
Kerberos encryption type and immediately uses the
NTLM hash (which is the Client LT Key), instead of
entering the password! 5. Usage
Illustration inspired by "Abusing Microsoft Kerberos -
Note that this attack would also work with AES! Sorry you guys don't get it," Benjamin Delpy (Blackhat File
USA 2014)! Server

redsiege.com nviso.eu 52
 WRAP-UP
When can we use each attack?
What are the defenses for each?

redsiege.com 53
 WHEN
Golden Ticket – Requires full domain compromise. Use for
persistence and pivoting
Kerberoasting – Requires access as any user. Use to escalate
and pivot
Silver Ticket – Requires service hash. Use for persistence and
escalation
Pass-the-Ticket – Requires access as user. Use to pivot
Over-Pass-the-Hash – Requires access as user. Use to pivot
redsiege.com 54
 RECOMMENDED READING
https://posts.specterops.io/kerberoasting-revisited-
d434351bd4d1
https://github.com/GhostPack/Rubeus
Anything by Sean Metcalf (adsecurity.org)
https://adsecurity.org/?p=2293
https://adsecurity.org/?p=2011

redsiege.com 55
 MONTORING IS KEY
Golden Ticket – Monitoring and don’t get pwned :) Requires
rotation of krbtgt account password (Be careful).
Kerberoasting – Monitoring, look for odd or too many ticket
requests
Use Honey Tickets - https://adsecurity.org/?p=3458
Silver Ticket – Monitoring, missing TGS-REQ

redsiege.com 56
Special Thanks to Erik Van Buggenhout and NVISO for portions of some of the slides
@ErikVaBu
evanbuggenhout@nviso.be
@NVISOsecurity
Co-author of SANS 560: Network Penetration Testing and Ethical Hacking
 TIM MEDIN
@TimMedin tim@redsiege.com

Kerberos &
Attacks 101
slides: redsiege.com/kerb

@RedSiege