
Kerberos is a network authentication protocol inspired by the greek work for a a three heaed dog Cerberus. Couple of key points to remember about the protocol
- Uses Ticket for Authentication
- Avoid sending password over the network
- Uses Symmetric key encryption
Source: https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication
Kerberos Attacks
#Pass the ticket:
Ways to investigate Pass the ticket Attack
Countermeasures:
In overpass-the-hash, the attacker will try to capture NTLM hash for the account it wishes to compromise using tools like Mimikatz etc.
Using this command in mimikatz:
Sekurlsa::pth /user:[USER] /domain:[DOMAIN] /ntlm:[NTLM HASH]
The NTML hash was passed into Kerberos authentication provider using RC4 Encryption
#Kerberoasting:
The focus of this attack is to compromise a service account. It request a ticket for a highly privileged service account. Capture the hash for it and crack it offline.
#Golden Ticket:
This is generated with a Ticket Granting Ticket for any account with my expiration is generated.
Majority of the Active Directory based attacks can be detected by implementing Microsoft Advanced Threat Analytics.
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata
- Pass the ticket is used to perform "lateral movement” by leveraging Kerberos Authentication System.
- The Attacker will extract Kerberos TGT (Ticket Granting Ticket) from LSASS memory.
- The obtained ticket is used to request Kerberos Service Ticket to get access to network.
- Kerberos TGT Expires in 10 Hours by default
- Tools like Mimikatz, Rubeus are used to perform this kind of attack
- Phase-1 is to Monitor via tools looking for 4624 Logon events
- Once any user logs in - the tools will go & grab the ticket.
Ways to investigate Pass the ticket Attack
- Get access to the host and analyze the logon sessions
- Use kList command to inspect the Kerberos Tickets associated with the session
- Looks for Kerberos tickets that do not match the user associated with the session
Countermeasures:
- Credentials Guard is Hypervisor based isolation to restrict access to the hashes and the tickets. Watch this video - https://www.youtube.com/watch?v=urqXgBbVyWY
- Multi-factor Authentication (MFA) is one of the good ways to handing Pass the Ticket Attacks along the standard cybersecurity practices.
In overpass-the-hash, the attacker will try to capture NTLM hash for the account it wishes to compromise using tools like Mimikatz etc.
Using this command in mimikatz:
Sekurlsa::pth /user:[USER] /domain:[DOMAIN] /ntlm:[NTLM HASH]
The NTML hash was passed into Kerberos authentication provider using RC4 Encryption
#Kerberoasting:
The focus of this attack is to compromise a service account. It request a ticket for a highly privileged service account. Capture the hash for it and crack it offline.
#Golden Ticket:
This is generated with a Ticket Granting Ticket for any account with my expiration is generated.
Majority of the Active Directory based attacks can be detected by implementing Microsoft Advanced Threat Analytics.
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata