Pentesting Active Directory - Kerberos (Part 1)

Part 2 of a hopefully fruitful and long series

Penetration Testing an Active Directory is no easy task, it requires understanding key concepts of Active Directory. One of these key concepts is Kerberos. To understand how to attack an AD, we need to have a good understanding of the Kerberos authentication process. Having this knowledge will allow us to know when to use the different kind of attacks during a pentest.

In this post, we will discuss the basic functionality of Kerberos. We will see how to perform the attacks in a later post. And no, I won't be going through the cryptography of it (I had enough of applied crypto).

What is Kerberos?

Kerberos is an authentication protocol that works on the basis of tickets to allow nodes to communicate over a non-secure network to prove their identity to one another in a secure manner. Kerberos allows a network to identify each user, who provides a secret password. Since Kerberos is an authentication protocol, it cannot validate which resources or services the user has access to. The responsibility for that lies in each service, so each service needs to determine if the user has the privilege to access its resources.

What is Kerberos used for?

Kerberos is used in Posix authentication, Active Directory, NFS, and Samba. It's also an alternative authentication system to SSH, POP, and SMTP. The main uses of Kerberos include:

• Single Sign On (SSO)

• Network Authentication

• Mutual Authentication

• Authorization

Kerberos Items

We will discuss the several components of Kerberos here.

Transport Layer

Kerberos can use either UDP or TCP as a transport protocol. The ports used by Kerberos are usually UDP/88 or TCP/88. This is usually listened to in the KDC.

Agents

There are several agents that work together to provide authentication in Kerberos.

• Client - These are agents that want to access the service

• Application Server - These are agents that offer the service

• Key Distribution Center (KDC) - Main service of Kerberos. Usually installed in the Domain Controller as it issues tickets. It is supported by the Authentication Service which issues the TGTs.

Encryption Keys

Since Kerberos is used in a non-secure network, it has to be encrypted. Many of the structures of Kerberos are encrypted or signed in order to prevent third parties from tampering. These are the types of Encryption Keys being used by Kerberos:

• KDC or krbtgt key - a key which is derivate from krbtgt account NTLM hash.

• User key - a key which is derived from the user NTLM hash.

• Service key - a key which is derived from the NTLM hash of the service owner, which can be a user or computer account.

• Session key - a key which is negotiated between the user and KDC.

• Service session key - a key to be used between user and service.

Tickets

Tickets are the main structure handled by Kerberos. These tickets are delivered to the users to allow them to perform several actions in the Kerberos realm. There are 2 types of tickets:

• The TGS (Ticket Granting Service) is a ticket which a user can use to authenticate against a service. In other words, it grants a user access to a specific service. It is encrypted with the service key.

• The TGT (Ticket Granting Ticket) is a ticket which the user can use to authenticate with the KDC to request TGSs. It is usually encrypted with the KDC key.

PAC

The PAC (Privilege Attribute Certificate) is a structure that is in almost every ticket. It contains the privileges of the user and it is signed with the KDC key. While it is possible to verify the PAC by communicating with the KDC, this doesn't happen often. The verification only checks the signature of the PAC but it does not inspect the contents of the PAC to see if the privileges in the PAC are correct. A client can also avoid the inclusion of the PAC by specifying it in the KERB-PA-PAC-REQUEST field during the ticket request.

Messages

Kerberos use different kinds of messages. The ones we should look out for are the following:

• KRB_AS_REQ - Used by the client to request for TGT to KDC.

• KRB_AS_REP - Used to deliver the TGT by KDC.

• KRB_TGS_REQ - Used by the client to request the TGS to KDC, using the TGT.

• KRB_TGS_REP - Used to deliver the TGS by KDC.

• KRB_AP_REQ - Used to authenticate a user against a service, using the TGS.

• KRB_AP_REP - (Optional) Used by the service to identify itself against the user.

• KRB_ERROR - Message to communicate error conditions.

Authentication Process

I will go through this process in a later post LOL but here is a nice picture that summarises the different kinds of messages.

A good summary of the Kerberos Authentication Process. Credits: tarlogic.com

Questions

• What transport protocols does Kerberos use, and why is encryption critical in this context?

• Can Kerberos be used as an Authorization process? Explain why

• What is the difference between TGT and TGS?

• What is krbtgt? Why is it there?

• What is the role of the KDC in the Kerberos authentication process?

Author

• Isaac ❄️

References

• Kerberos (I): How does Kerberos work? - Theory

• Understanding Kerberos: How It Works and Authentication Explained!