Kerberos

Kerberos Three Head Dog

Overview

Kerberos is a robust and widely adopted authentication service employed as the default mechanism for securing Microsoft Windows domains. Developed with the goal of enhancing security compared to NTLM, Kerberos leverages third-party ticket authorization and employs stronger encryption techniques. The primary goal of Kerberos is to enable secure authentication over an insecure network by using cryptographic techniques.

What is the difference between Kerberos and NTLM?

Before the introduction of Kerberos, Microsoft utilized an authentication technology known as NTLM, which stands for New Technology LAN Manager. NTLM is a challenge-response authentication protocol. In this protocol, the target computer or domain controller presents a challenge to authenticate the user and verifies the password by storing password hashes for future use.

The key distinction between Kerberos and NTLM lies in the inclusion of third-party verification and stronger encryption capabilities in Kerberos. This additional step in the authentication process significantly enhances the security provided by Kerberos compared to NTLM.

Kerberos Entities

In a Kerberos-based authentication process, there are three main entities are involved:

1. Client

The client refers to the computing entity within the Active Directory network that seeks to obtain access to services or resources available within the AD network. It serves as an endpoint device or computer system that interacts with the AD infrastructure for the purpose of requesting and utilizing network services.

2. Key Distribution Center (KDC)

A trusted third-party server that acts as the authentication server in the Kerberos protocol. It consists of two components: the Authentication Server (AS) and the Ticket Granting Server (TGS).

• Authentication Server (AS): Handles initial authentication requests in which they verify the user and issue the Ticket Granting Ticket (TGT) to the client.

• Ticket Granting Ticket (TGT): The TGT serves as proof of the client's identity and acts as a credential that allows the client to request additional service tickets without needing to re-authenticate for each service individually.

• Ticket Granting Service (TGS): When a client wants to access a particular service, it presents its Ticket Granting Ticket (TGT) to the TGS. The TGS verifies the TGT's authenticity and checks the client's authorization to access the requested service. If the client is authorized, the TGS generates a Service Ticket (ST) for that specific service.

3. Services

The services in the Active Directory (AD) directory refer to server instances, such as SMB (Server Message Block), SQL (Structured Query Language), and various other services, that are responsible for delivering specific functionalities within the AD network. These services play a crucial role in providing diverse features and capabilities to clients and users in the AD environment.

Authentication Process

The Kerberos authentication process generally involves the following steps:

Authentication

• The client sends a request to the Authentication Server, providing its identity (username) to initiate the authentication process.

• The Authentication Server verifies the client's identity, generates a TGT, and encrypts it using the client's password or a shared secret key.

• The client receives the TGT, decrypts it using its password, and stores it securely.

Ticket-Granting

• When the client wants to access a specific service, it sends a request to the TGS, providing the TGT received from the AS and the name of the desired service.

• The TGS verifies the TGT and issues a Service Ticket (ST), encrypted with the service's secret key.

Service Authentication

• The client presents the ST to the service it wants to access.

• The service decrypts the ST using its secret key and verifies the client's identity.

• If the verification is successful, the service grants access to the client.

Kerberos Authentication process

Kerberos is a little harder to understand and I miss lots of things there to keep it simple but I encourage readers to research as much as they can until they fully understand the process. Wikipedia has a great resource but at the same time, it is a little complex you can check out: Kerberos Wikipedia.

Kerberos itself is a well-designed and widely used authentication protocol that provides strong security when properly implemented and configured. However, like any complex system, it can have vulnerabilities or misconfigurations that can be exploited.

Kerberos Attacks

There are several attacks that can be performed on Kerberos. Here are some common attacks targeting Kerberos:

1. Kerberos Pre-Authentication Brute Force Attack:

   • Attempt to guess the username and account's password information by repeatedly sending authentication requests without providing pre-authentication data. This can be effective against weak passwords.

2. Kerberoasting:

   • Exploit weak service account passwords by requesting and cracking their Kerberos Service Tickets (TGS) offline.

   • Retrieve encrypted TGS tickets and crack them to obtain service account passwords.

3. Replication or DCsync Attack:

   • Exploit the "Replication" privileged right to request domain controller synchronization.

   • Retrieve password hashes of user accounts without requiring elevated privileges.

4. Golden Ticket Attack:

   • Forge Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account's hash.

   • This can be used to gain unauthorized access to any account within the domain using the valid Kerberos tickets generated by the attacker.

   • This attack is used to make persistence in the network.

5. Silver Ticket Attack:

   • Forge Service Tickets (TGS) for a specific service using the Service Account's hash.

   • Gain unauthorized access to specific services without needing to know the account's password.

   • This attack is used to get persistence in the network

6. Pass-the-Ticket (PtT) Attack:

   • Exploit Kerberos tickets to gain unauthorized access to systems.

   • Abuse the Kerberos Ticket Granting Tickets (TGTs) or Service Tickets (TGSs) obtained through various means.

7. Kerberos Delegation Abuse:

   • Exploit misconfigured delegation settings to impersonate privileged accounts and escalate privileges.

   • Abuse the "Trusted To Authenticate For" and "Constrained Delegation" settings.

8. Kerberos Extension Attacks:

   • Exploit vulnerabilities in Kerberos extensions, such as the S4U (Services For User) extension, to gain unauthorized access to services or impersonate users.

9. Kerberos Ticket Renewal Attacks:

   • Exploit weaknesses in ticket renewal processes to obtain extended access or bypass authentication requirements.

10. Reflection Attacks:

    • Exploit misconfigured or insecure trust relationships to relay or reflect Kerberos authentication requests, leading to unauthorized access or privilege escalation.

11. Time Synchronization Attacks:

    • Exploit time synchronization issues to manipulate Kerberos ticket validity periods or replay expired tickets.

These attacks are not intended functionalities but rather vulnerabilities or weaknesses in their implementation or configuration. These attacks exploit flaws in the design or deployment of Kerberos to gain unauthorized access, escalate privileges, or manipulate authentication mechanisms. They highlight potential security weaknesses that can be addressed to strengthen the overall security of Kerberos deployments.

More Reading

• You Do (Not) Know Kerberose - Video: https://www.youtube.com/watch?v=4LDpb1R3Ghg