The TGS is encrypted using the target service accounts’ NTLM password hash and sent to the user (TGS-REP).ĥ.The user connects to the server hosting the service on the appropriate port & presents the TGS (AP-REQ). The data in the TGT is effectively copied to create the TGS ticket.Ĥ. The DC opens the TGT & validates PAC checksum – If the DC can open the ticket & the checksum check out, TGT = valid. The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ).
Only the Kerberos service (KRBTGT) in the domain can open and read TGT data.ģ. The TGT is encrypted, signed, & delivered to the user (AS-REP).
The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT).Ģ. Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC as an authenticator in the authentication ticket (TGT) request (AS-REQ).ġb. Kerberos Overview & Communication Processġa. Let’s quickly cover how Kerberos authentication works before diving into how Kerberoasting works and how to detect Kerberoast type activity. Note: This attack will not be successful when targeting services hosted by the Windows system since these services are mapped to the computer account in Active Directory which has an associated 128 character password which won’t be cracked anytime soon. This is a topic we have covered in the past in the posts “ Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain” & “ Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting.”Īlso Will Schroeder, aka Will Harmjoy ( and I spoke at Derb圜on 2016 about how to Kerberoast to escalate privileges. Tim Medin presented on this at Derb圜on 2014 in his “Attacking Microsoft Kerberos Kicking the Guard Dog of Hades” presentation ( slides & video) where he released the Kerberoast Python TGS cracker. Furthermore, most service accounts are over-permissioned and are often members of Domain Admins providing full admin rights to Active Directory (even when the service account only needs to modify an attribute on certain object types or admin rights on specific servers). Most service accounts don’t have passwords set to expire, so it’s likely the same password will be in effect for months if not years. The reason why this attack is successful is that most service account passwords are the same length as the domain password minimum (often 10 or 12 characters long) meaning that even brute force cracking doesn’t likely take longer than the password maximum password age (expiration). This attack is effective since people tend to create poor passwords. Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system.
0 kommentar(er)
