Kerberos
General
3 Heads of Kerberos:
Client > TrustedServer/DC > Server
Ticket Flow
Ticket Flow
Example
Request TGT >
Apply for Drivers License >
< TGT + SessionKey
< Granted with Hologram
TGT + Request to TGS >
Request go to to ABC Store >
< ServiceTicket
< Approved w/ ABC Hash/Ticket
Auth to Service w/ServiceTicket >
Going to ABC Store >
3 Long-Term Keys
Client (me)
Target/Service key
KDC (from krbtgt acct)
Group Policy for TGT Encryption
Computer Config > Policy > Windows Settings > Security Settings
> Local Policy > Security Options Network Security: Configure enc types allowed for Kerb
Attack Flow
Find AD Accts with SPN (map between service and svc-acct)
Request RC4 service tickets from DC
Extract Service Tickets to file
Offline Brute Force
Kerberoasting Targets
MSSQL
AGPMServer (for GPO)
FIMService (Forefront Identity)
STS (Security Token Service VMWare)
Defenses:
Disable RC4 with GPO
Use AES instead
Managed Service Accounts (no pw to change)
Protected Users - pw kerberos keys arent in lsass mem
PAC validation
CredentialGuard - hash and kerb/keys cant be stolen
Services like: "sqlsvc" should not be Domain Admin
Kerberoasting
Other Method:
Powerview > Invoke-Kerberoast
Golden Ticket
Impacket:
secretsdump.py
wmiexec.py
lookupsid.py
ticketer.py
Get the nthash
Get the FQDN
Get the Domain SID
Create a golden ticket!
Abuse
The golden ticket - DO NOT EXECUTE !!!
After exporting the Administrator.ccache ticket file..
You can use any tool from the impacket suite like wmiexec or psexec with -k -no-pass
Mimikatz
Create a Golden Ticket with Mimikatz
Skeleton Key (mimikatz)
Sets up a special key for login as pw: mimikatz
Patches the LSA Process in Memory
Requires Admin rights and Debug Privs
Reboot to 'clear' the setup
DCSync (mimikatz)
Copies the "ntds.dit"
REF: NTDS
DCShadow
Similar to DCSync
Register myself as a DC
Uses replication, so almost invisible Logging
Mimikatz GT Lab
Last updated