Kerberos is a network authentication protocol inspired by the greek work for a a three heaed dog Cerberus. Couple of key points to remember about the protocol
- Uses Ticket for Authentication
- Avoid sending password over the network
- Uses Symmetric key encryption
- Pass the ticket is used to perform "lateral movement” by leveraging Kerberos Authentication System.
- The Attacker will extract Kerberos TGT (Ticket Granting Ticket) from LSASS memory.
- The obtained ticket is used to request Kerberos Service Ticket to get access to network.
- Kerberos TGT Expires in 10 Hours by default
- Tools like Mimikatz, Rubeus are used to perform this kind of attack
- Phase-1 is to Monitor via tools looking for 4624 Logon events
- Once any user logs in - the tools will go & grab the ticket.
Ways to investigate Pass the ticket Attack
- Get access to the host and analyze the logon sessions
- Use kList command to inspect the Kerberos Tickets associated with the session
- Looks for Kerberos tickets that do not match the user associated with the session
- Credentials Guard is Hypervisor based isolation to restrict access to the hashes and the tickets. Watch this video - https://www.youtube.com/watch?v=urqXgBbVyWY
- Multi-factor Authentication (MFA) is one of the good ways to handing Pass the Ticket Attacks along the standard cybersecurity practices.
In overpass-the-hash, the attacker will try to capture NTLM hash for the account it wishes to compromise using tools like Mimikatz etc.
Using this command in mimikatz:
Sekurlsa::pth /user:[USER] /domain:[DOMAIN] /ntlm:[NTLM HASH]
The NTML hash was passed into Kerberos authentication provider using RC4 Encryption
The focus of this attack is to compromise a service account. It request a ticket for a highly privileged service account. Capture the hash for it and crack it offline.
This is generated with a Ticket Granting Ticket for any account with my expiration is generated.
Majority of the Active Directory based attacks can be detected by implementing Microsoft Advanced Threat Analytics.