Scribd
Upload
43 views33 pages

Kerberoastv 4

The document discusses various methods of attacking the Kerberos authentication protocol, highlighting vulnerabilities such as ticket rewriting and the use of tools like Kerberoast and Mimikatz. It emphasizes the ease with which attackers can compromise services by exploiting these vulnerabilities. The presentation includes diagrams and examples to illustrate the attack vectors and their implications for security.

Uploaded by

aziz jeribi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views33 pages

Kerberoastv 4

The document discusses various methods of attacking the Kerberos authentication protocol, highlighting vulnerabilities such as ticket rewriting and the use of tools like Kerberoast and Mimikatz. It emphasizes the ease with which attackers can compromise services by exploiting these vulnerabilities. The presentation includes diagrams and examples to illustrate the attack vectors and their implications for security.

Uploaded by

aziz jeribi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.

com 1
Code: Slides:
https://github.com/nidem/kerberoast https://redsiege.com/kerberoast-slides
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 2
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 3
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 4
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 5
Full Domain
Golden Ticket
Compromise

Level of Access
Ticket Rewriting
Kerberoast/Mimikatz
Initial Kerberoast Cracking
Compromise

No Access
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 6
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 7
I'm Tim, and I need to I can decrypt your
authenticate to something. Here communication using
is a request encrypted using my your NTLM hash. Here is
password hash a TGT encrypted with
your NTLM Hash

KDC
Key Distribution Center
(Windows Domain Controller)

Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 8
I need to authenticate to a
service via Kerberos. Can Sure, here it is. I don't check
I get a ticket for another if you have permissions on
service. Here is my TGT to the target service. I leave
verify my identity that up to the service. I have
enough to do.

KDC
Key Distribution Center
(Windows Domain Controller)

Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 9
I can decrypt this ticket and
Here is some stuff I the HMAC signature using my
can't read, but the hash as the key is good. I see
KDC says this should your user info in this ticket, but
verify me. before I authorize you I may*
need to verify the details

Other Server

Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 10
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 11
Before I can send
I need to talk to the a ticket I need to
mail server on encrypt it using
cliff.medin.local the target
server's hash Service Account

MAIL/cliff.medin.local mailsvc

HTTP/charlotte.medin.local websvc

KDC MSSQL/db01.medin.local sqlengine

Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 12
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 13
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 14
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 15
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 16
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 17
Here is my TGT, Sure thing! Your TGT
Can I get a ST for looks good. The
Sql01 services will authorize
Web01 you, not me. I can't
Mail01 keep track of all that

18
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 19
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 20
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 21
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 22
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 23
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 24
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 25
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 26
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 27
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 28
Service's Hash

Inject Straight into RAM (hidden feature)

Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 29
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 30
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 31
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 32
Attacking Kerberos: Kicking the Guard Dog of Hades – ©Tim Medin - @timmedin - tim@redsiege.com 33

You might also like