Pentesting Active Directory - Kerberos (Part 2)

Part 3 of a hopefully fruitful and long series

Now that we know how Kerberos works, we can move on to learning the various types of attacks. I will mainly discuss attacks related to Kerberos.

The types of attacks we will discuss today are:

• Pass The Ticket

• Overpass the Hash / Pass the Key

• Silver Ticket

• Golden Ticket

I will probably discuss more attacks in the next part.

Pass the Ticket

In the Pass the Ticket attack, attackers steal a user's authentication ticket. This stolen ticket is used to impersonate the user, gaining unauthorized access to resources and services within a network. It is possible to obtain the ticket via MITM but we also need to get access to the session key. Getting the ticket from thelsass.exe process allows us to get both the ticket and session key. This can be performed with mimikatz.

Overpass the Hash / Pass the Key

This attack is designed for environments where traditional NTLM protocol is restricted, and Kerberos authentication takes precedence. It leverages the NTLM hash or AES key of a user to get Kerberos tickets, enabling unauthorized access to resources within a network. Basically, we are using the user hash to impersonate a specific user. Once we have the user hash, we can impersonate that user against the KDC and gain access to several services. User hashes can be extracted from SAM files in workstations or NTDS.DIT file of DCs or extracted from lsass.exe process memory with Mimikatz. Once we secure the has, we can ask for a TGT which allows an attacker to access services or machines to which the user has permissions. The process can be done with tools such as getTGT.py

python getTGT.py greenhat.com/frost -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7  export KRB5CCNAME=/root/impacket-examples/isaac.ccache

We can also use Rubeus.exe to get TGT.

.\Rubeus.exe asktgt /domain:greenhat.com /user:frost /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7

Silver Ticket

Silver Ticket attack involves the exploitation of service tickets in AD. This method relies on acquiring the NTLM hash of a service account e.g. (a computer account) to forge a TGS ticket. With this forged ticket, an attacker can access specific services on the network. There are many types of services available such as WMI, CIFS, PowerShell Remoting, WinRm etc...

Do refer to the types of services here

Golden Ticket

The objective of Golden Ticket is to build a TGT ticket. This allows an attacker to impersonate any user through the use of the NTLM hash of the AD krbtgt account. It enables access to any service or machine within the domain as the impersonated user.

Do refer for more information here

Interview Question

1. As an attacker, is it better to use the NTLM hash or AES Key of a user? Explain Why.

2. Assuming that the user you created a TGT with changes its password, will your TGT still be valid? Explain why.

3. What is the difference between a silver ticket and a golden ticket?

4. How can you detect a golden ticket?

Author

• Isaac ❄️

References

• Kerberos (I): How does Kerberos work? - Theory

• HackTricks - Pass the Ticket

• HackTricks - Overpass the Hash

• HackTricks - Silver Ticket

• HackTricks - Golden Ticket