Professional Documents
Culture Documents
Active Directory Security Fundamentals
Active Directory Security Fundamentals
Kerberos
Scarred Monk on Oct 10, 2021
6 min
Kerberos
Kerberos is an authentication protocol which was initially developed at MIT and uses symmetric key
cryptography. To verify user identities, it requires trusted third-party authorization. Microsoft uses Kerberos as
the preferred authentication protocol in domain environments. Kerberos (or Cerberus) was the name of the
three-headed dog that guarded the entrance to Hades in Greek mythology and, here it just like its name, it
requires three entities to authenticate:
Components of Kerberos
Kerberos has the following components:
In this scenario, users are allowed to prove their identity to gain access to domain resources securely. Kerberos
uses tickets to allow users to be authenticated against a principal like a service. To request a ticket for an
service, you have to specify its Service Principal Name for example, HTTP/RDSWEB01. SPN is a unique
identifier of a service account.
TGT
TGT stands for “Ticket Granting Ticket”. A ticket-granting ticket (TGT) is a special ticket that permits the
client to obtain additional Kerberos tickets within the same Kerberos realm. When a client sends a request for a
ticket to the Key Distribution Center (KDC), the KDC creates a ticket-granting ticket (TGT) for the client,
(encrypts it using the client’s password as the key) and sends the encrypted TGT back to the client. The client
then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the
client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client’s identity.
TGT permits the client to obtain additional tickets (like TGS) which gives permission for specific services.
TGS
TGS stands for “Ticket granting service”. TGS is a KDC component that issues a service ticket when a client
requests connection to a Kerberos service. Client needs to have a valid TGT, only then the TGS will be issued
to it.
Inter-Realm TGT
In case of authentication in inter-forest trusts, instead of encrypting with Domain1’s krbtgt account, a ticket is
encrypted/signed with the inter-realm trust key that the domains previously exchanged, which is called as an
“Inter-realm ticket-granting-ticket/TGT.” Then Domain2 verifies the TGT included in the referral, decrypts it
with the previously negotiated inter-realm trust key and proceeds further. An inter-realm TGT can be forged.
We’ll do that in coming posts. I’ll explain the Kerberos process in detail in the next posts when performing
kerberoasting.
Let’s say a client from Domain 1 wants to access the server located in Domain 2.
Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC)
Key distribution server verifies the credentials and sends back an encrypted TGT and session key
TGT is stored by client and the local session manager will request another TGT when it expires.
When Client requires access to a service/resource on the network, below process is followed:
Client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the
client wants to access
KDC verifies TGT of the client and also if client has access to the service
TGS sends a valid session key for the service to the client
Client forwards the session key to the service to prove it has access, and the service grants access.
PAC validation
In the above diagram, PAC validation is happening between the resource server and KDC. Let’s discuss more
about PAC validation. PAC (Privilege Attribute Certificate) represents an structure (included in almost all
tickets) which contains useful information like security identifiers, group membership, user profile
information, and password credentials. PAC is signed with the KDC key.
PAC validation is the process of validating the PAC of a user authenticating to a server against Active
Directory to make sure that it is valid. The server’s OS performs Kerberos PAC validation to protect from a
man in the middle attack tampering with the PAC structure to avoid forged PACs.
It can be enabled with the registry key ValidateKdcPacSignature found here: HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\Lsa\Kerberos\Parameters
“ValidateKdcPacSignature”=dword:00000001
When the value of this entry is 0, Kerberos does not perform PAC validation on a process that runs as a
service. When the value of this entry is 1, Kerberos performs PAC validation as usual. You have to restart the
computer after you modify this registry entry. When this entry is not present, the system behaves as if the entry
is present and has a value of 1. The default value in Windows Server 2008 for this entry is 0.
NTLM
NTLM stands for NT Lan Manager. It is a challenge-response authentication protocol. Before Kerberos,
Microsoft used NTLM for authentication. The target computer or domain controller challenges and checks the
password, and stores password hashes for continued use. It is still available for older clients and systems on a
workgroup.
NTLM relies on a challenge-response protocol to confirm the user without requiring them to submit a
password
When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that
instance, connects to the service, and presents the SPN for the service to authenticate.
SPN (servicePrincipalName) uniquely identifies a service account and it looks like below :
The most important reason for setting up an SPN is that it allows to identify your target Server hosting a
particular service on the network.
When we configure our Servers (hosting a service) to use Kerberos authentication for the clients to access that
service, there are a couple of prerequisites that must be met. First, the clients and servers must be joined to a
domain. If the server is from other domain, then a trust must be setup between the two domains. Secondly an
SPN must be successfully registered for the Server hosting the service so that it can be identified on the
network.
There are a few ways that we can check if the SPN has been registered successfully. If the server hosting the
service is running under a domain account (which is recommended) we can run the following command to see
the services that are registered.
How to set up SPN ❓
A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an
instance of a service. An SPN combines a service name with a computer and user account to form a type of
service ID. For Kerberos authentication (a protocol that authenticates client and server entities on a network) to
function, an SPN must be registered for each service account in the Active Directory.
Demo
We have a domain account SQLServiceAccount that we’ll be using as a service account. And we’ll register it
with a computer pretenting to be SQL server SQLServer Let’s register a SPN using below command:
Now, if we search for SPNs across the domain, we should be able to see it:
Or we can simply enumerate the Service Principal Name (SPNs) of service accounts through a LDAP queries
with the help of adsisearcher:
PS C:\> ([adsisearcher]'(servicePrincipalName=*)').FindAll()
Path Properties
---- ----------
LDAP://CN=RDSEDC01,OU=Domain Controllers,DC=rootdse,DC=lab {ridsetreferences, logoncount,
codepage, objectcategory...}
LDAP://CN=krbtgt,CN=Users,DC=rootdse,DC=lab {logoncount, codepage,
objectcategory, description...}
LDAP://CN=SQLServiceAccount,CN=Users,DC=rootdse,DC=lab {givenname, codepage,
objectcategory, dscorepropagationdata...}
Now that we can do see that the SPN is configured properly, let’s see how to do kerberoasting.
Kerberoasting
Before starting Kerberoasting, let’s dicuss a bit about how this attack actually works. Kerberoasting is one of
the popular AD Kerberos attacks which was persented in the talk of Tim Medin (Kerberoast Guy) at Derbycon
2014. In this attack, a service account’s credential hash is extracted from Active Directory and cracked offline.
We need to identify what accounts are kerberoastable and then as any authenticated user, we can the request
service tickets (TGS) for the target service accounts without sending any traffic to the target server on which
the service is running.
As you can see in the below diagram, kerberoasting is focussed on requesting TGS from KDC. Only the
highlighted steps 3 and 4 are involved in this attack.
Because of the above reasons, it is considered as a low hanging fruit since it is easily executed and if service
account is successfully compromised, high chances of escalating privileges in domain.
Mimikatz
PowerView
SharpView
Rubeus
I have written another blogpost on detecting possible kerberoasting attempts in the environment using AD
Decoys. Here is the link: Detecting LDAP enumeration and Bloodhound‘s Sharphound collector using AD
Decoys