Kerberos_AD

Kerberos process:

C1. AS-REG1 -> Ticket Flags + username - service name (TGT) + Realm

K2. Preauth-Required -> stime + salt + error code

C3. AS-REG2 (TGT) -> cname + sname + timestamp <- encrypted with user's hash

K4. AS-REP (TGT):

-> session key: sname + realm <- Encrypted using user's hash

-> TGT: username + Realm + Session key + Timestamp + Lifetime + PAC data <- Encrypted using krbtgt key

C5. TGS-REG (TGS):

-> TGS-REG: sname + SPN -> TGT <- Encrypted using krbtgt key

-> TGT <- Encrypted using krbtgt key

-> Authenticator: username + timestamp <- Encrypted using session key

K6. TGS-REP (TGS):

-> service session key: sname + realm <- Encrypted using session key

-> TGS: username + realm + service session key + timestamp + lifetime + PAC data <- Encrypted using sql service key

C7. AP-REG (TGS):

-> Authenticator: username + timestamp <- Encrypted using service session key

-> TGS <- Encrypted using sql service key

S8. AP-REP -> DONE

Kerberoasting: definition:

request RC4 encryption when performing the attack and initiating TGS-REQ requests. This is because RC4 is weaker

Detect:

4769: A Kerberos service ticket (TGS) was requested
4770: A Kerberos service ticket was renewed
0x40810000 & 0x17
Looking for TGS-REQ packets with RC4 encryption
powershell => solution: 400 & 800 & logging solution: 4100, 4103, 4104

As-rep Roasting: definition:

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages

Detect:

Windows Event ID 4768: Kerberos authentication ticket (TGT) was requested
Event ID: 4771 - Kerberos Pre-Authentication Failed
Code: 0x19

Pass the ticket: definition:

Exploits Kerberos authentication tickets, allowing an attacker to use the identity associated with the ticket to access network resources without needing the user's password

Detect:

Event ID 4624 (An account was successfully logged on) Logon Type 3

Pass the hash: definition:

Use password hashes (NTLM hashes) for authentication instead of the password itself.

Detect:

Event ID 4624 (An account was successfully logged on) Logon Type 3

Silver Ticket: definition:

Exploits specific privileges within the Windows network. In this attack, the attacker obtains a forged service ticket (TGS) to access certain services within the Active Directory environment without having to interact with the Key Distribution Center (KDC).

Golden Ticket: definition:

It is a forged TGT that an attacker can create after obtaining the Kerberos keys. They can be used to access any service within the network without having to log in legitimately.

PreviousPhishing NextBug Hunting

Last updated 6 months ago

Kerberos_AD

Kerberos process:

C1. AS-REG1 -> Ticket Flags + username - service name (TGT) + Realm

K2. Preauth-Required -> stime + salt + error code

C3. AS-REG2 (TGT) -> cname + sname + timestamp <- encrypted with user's hash

K4. AS-REP (TGT):

-> session key: sname + realm <- Encrypted using user's hash

-> TGT: username + Realm + Session key + Timestamp + Lifetime + PAC data <- Encrypted using krbtgt key

C5. TGS-REG (TGS):

-> TGS-REG: sname + SPN -> TGT <- Encrypted using krbtgt key

-> TGT <- Encrypted using krbtgt key

-> Authenticator: username + timestamp <- Encrypted using session key

K6. TGS-REP (TGS):

-> service session key: sname + realm <- Encrypted using session key

-> TGS: username + realm + service session key + timestamp + lifetime + PAC data <- Encrypted using sql service key

C7. AP-REG (TGS):

-> Authenticator: username + timestamp <- Encrypted using service session key

-> TGS <- Encrypted using sql service key

S8. AP-REP -> DONE

Kerberoasting: definition:

request RC4 encryption when performing the attack and initiating TGS-REQ requests. This is because RC4 is weaker

Detect:

4769: A Kerberos service ticket (TGS) was requested
4770: A Kerberos service ticket was renewed
0x40810000 & 0x17
Looking for TGS-REQ packets with RC4 encryption
powershell => solution: 400 & 800 & logging solution: 4100, 4103, 4104

As-rep Roasting: definition:

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages

Detect:

Windows Event ID 4768: Kerberos authentication ticket (TGT) was requested
Event ID: 4771 - Kerberos Pre-Authentication Failed
Code: 0x19

Pass the ticket: definition:

Exploits Kerberos authentication tickets, allowing an attacker to use the identity associated with the ticket to access network resources without needing the user's password

Detect:

Event ID 4624 (An account was successfully logged on) Logon Type 3

Pass the hash: definition:

Use password hashes (NTLM hashes) for authentication instead of the password itself.

Detect:

Event ID 4624 (An account was successfully logged on) Logon Type 3

Silver Ticket: definition:

Exploits specific privileges within the Windows network. In this attack, the attacker obtains a forged service ticket (TGS) to access certain services within the Active Directory environment without having to interact with the Key Distribution Center (KDC).

Golden Ticket: definition:

It is a forged TGT that an attacker can create after obtaining the Kerberos keys. They can be used to access any service within the network without having to log in legitimately.

PreviousPhishing NextBug Hunting

Last updated 6 months ago