Peter Swedin, profile picture
Uploaded byPeter Swedin
PPTX, PDF5,412 views

Golden ticket, pass the ticket mi tm kerberos attacks explained

This document discusses Kerberos attacks and defenses against them. It describes how Kerberos single sign-on authentication works and some common attacks such as man-in-the-middle attacks, downgrade attacks, pass-the-ticket attacks, and creating a "golden ticket". It recommends ways to harden Kerberos security, such as using newer domain controllers, AES encryption, strict KDC validation, separate client networks, and changing the KRBTGT password regularly. Detecting pass-the-ticket attacks is difficult but a SIEM solution may help determine if tickets are being used inappropriately.

Embed presentation

Downloaded 106 times
Kerberos attacks explained ….somewhat By Peter Swedin
Easy authentication
• The user Alice logs on to her domain joined client. • Alice then accesses the intranet. • User is greeted with ”Welcome Alice!” without authenticating to the web service. • Kerberos SSO!
The handshake
Challenges • KDC validation • Replay attacks • Downgrade attacks • Pass-the-ticket attacks
MitM • An Attacker can trick the client into believing he is the KDC during the AS negotiation • But in order to create the Service Ticket the attacker has to know the shared secret between the client and the KDC…
The problem with AS_REQ • During password authentication, AS_REQ is encrypted with a key derived from the password. • Most of AS_REQ is sent in the clear (without server validation), making it possible for man-in- the middle attacks
The problem with ERR PREAUTH REQUIRED • A phony KDC can ask the client to use a weak encryption algorithm (downgrade etype attack) • DES and Windows ”export grade” RC4 are vulnerable to brute-forcing and dictionary attacks • The MITM attacker can manipulate the seed making the key easier to crack
Platforms vulnerable to etype downgrade attacks • MIT Kerberos v1.7 and below will accept any form of DES • Windows 2008 / Vista and prior will accept any form of DES
MitM • When a client computer joins the domain, there is no need for a Service Ticket The attacker can own the client and its identity by acting as a proxy between the real KDC and the client
Smart card Kerberos auth in pre- Windows 2008R2 domains is vulnerable to MiTM attacks • Windows clients will not check the DC certificate for the EKU (Enhanced Key Usage) id-pkinit-PKPKdc, unless told to do so. • For whatever reason the Server Authentication EKU is considered enough, making every client with a computer certificate a possible MiTM platform.
Pass-the-Ticket Attack The Attack The Pass-the-Ticket attack enables an attacker to authenticate to a Windows server using the Kerberos "ticket granting ticket" of a user recently logged into the domain. After previously compromising and gaining privileged access to a computer logged into the domain, the attacker extracts the Kerberos ticket granting ticket and uses it to access all servers the victim is authorized to access.
Pass-the-Ticket Attack Tools • Tools for the attack include: • Windows Credentials Editor (WCE), • KDE Replay, • Corelab Pass-the-Hash Toolkit, SMBShell • Mimikatz
The Golden Ticket • Using pass-the-ticket or pass-the-hash, gain Domain administrator privileges • Obtain the NTLM hash from the krbtgt user from a pre-2008R2 Domain Controller • Use Mimikatz to produce fake TGT for any user (even non existing users will work) • Pwnd
Risk asessment – Kerberos attacks Popularity Low Ease of Implementation Medium/easy Impact high Remotely Exploitable Yes Risk High
Hardening Microsoft Kerberos • Use ONLY Windows 2012R2 Domain Controllers • Use AES 256 • Disallow etype downgrade • Use Kerberos KDC certificates (requires a 2008 R2 Certificate Authority or later) • Enable the GPO ”Require strict KDC validation” • Only allow clients to join the domain from a separate, secure network segment
Pass-the-Ticket Defenses Very hard to detect, since it is a valid protocol doing valid things Change KRBTGT password, TWICE Upgrade to 2012R2 on ALL DCs Or apply patch KB 2871997 (A SIEM solution may be able to determine that the ticket granting ticket is being used inappropriately).
Questions?

More Related Content

PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PPTX
Golden Ticket Attack - AD - Domain Persistence
byMohammed Adam
 
PPTX
DEF CON 23 - Hacking Web Apps @brentwdesign
bybrentwdesign
 
PPTX
Red Team Revenge - Attacking Microsoft ATA
byNikhil Mittal
 
PPTX
Kerberos authentication
bySuraj Singh
 
PPTX
こわくない!SQL Server 2017 セキュリティ関連機能について
byMiho Yamamoto
 
PDF
Secure Your Encryption with HSM
byNarudom Roongsiriwong, CISSP
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
Golden Ticket Attack - AD - Domain Persistence
byMohammed Adam
 
DEF CON 23 - Hacking Web Apps @brentwdesign
bybrentwdesign
 
Red Team Revenge - Attacking Microsoft ATA
byNikhil Mittal
 
Kerberos authentication
bySuraj Singh
 
こわくない!SQL Server 2017 セキュリティ関連機能について
byMiho Yamamoto
 
Secure Your Encryption with HSM
byNarudom Roongsiriwong, CISSP
 
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 

What's hot

PDF
Explain it to Me Like I’m 5: Oauth2 and OpenID
byVMware Tanzu
 
PDF
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
byJun Kurihara
 
PPTX
Cross Site Scripting
byAli Mattash
 
PDF
Windows Service Hardening
byDigital Bond
 
PPTX
Passwords#14 - mimikatz
byBenjamin Delpy
 
PPTX
Privileged Access Management (PAM)
bydanb02
 
PDF
Level Up! - Practical Windows Privilege Escalation
byjakx_
 
PDF
Identity and Access Management 101
byJerod Brennen
 
PPTX
SSL TLS Protocol
byDevang Badrakiya
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PPTX
kerberos
bysameer farooq
 
PDF
Active Directory 侵害と推奨対策
byYurika Kakiuchi
 
PPTX
Vault - Secret and Key Management
byAnthony Ikeda
 
PPTX
TLS v1.3
bySiddhartha Rao
 
PDF
Elastic Stack 을 이용한 게임 서비스 통합 로깅 플랫폼 - elastic{on} 2019 Seoul
bySeungYong Oh
 
PPTX
Radius server,PAP and CHAP Protocols
byDhananjay Aloorkar
 
PDF
Sec013 その資格情報、簡
byTech Summit 2016
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPTX
Kerberos Authentication Protocol
byBibek Subedi
 
PPTX
Kerberos
byRafatSamreen
 
Explain it to Me Like I’m 5: Oauth2 and OpenID
byVMware Tanzu
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
byJun Kurihara
 
Cross Site Scripting
byAli Mattash
 
Windows Service Hardening
byDigital Bond
 
Passwords#14 - mimikatz
byBenjamin Delpy
 
Privileged Access Management (PAM)
bydanb02
 
Level Up! - Practical Windows Privilege Escalation
byjakx_
 
Identity and Access Management 101
byJerod Brennen
 
SSL TLS Protocol
byDevang Badrakiya
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
kerberos
bysameer farooq
 
Active Directory 侵害と推奨対策
byYurika Kakiuchi
 
Vault - Secret and Key Management
byAnthony Ikeda
 
TLS v1.3
bySiddhartha Rao
 
Elastic Stack 을 이용한 게임 서비스 통합 로깅 플랫폼 - elastic{on} 2019 Seoul
bySeungYong Oh
 
Radius server,PAP and CHAP Protocols
byDhananjay Aloorkar
 
Sec013 その資格情報、簡
byTech Summit 2016
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Kerberos Authentication Protocol
byBibek Subedi
 
Kerberos
byRafatSamreen
 

Viewers also liked

PPTX
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
byBenjamin Delpy
 
PPTX
mimikatz @ phdays
byBenjamin Delpy
 
PDF
Hernan Ochoa - WCE Internals [RootedCON 2011]
byRootedCON
 
PPTX
mimikatz @ asfws
byBenjamin Delpy
 
PDF
Byod in corporate networks - www.omegapoint.us
byPeter Swedin
 
PPT
MAITAINING ACCESS
byTensor
 
PDF
Backtrak guide
byChildren International
 
PPTX
NFC attacks
byPeter Swedin
 
PPTX
Lateral Movement by Default
byInnoTech
 
PPTX
Kerberos, NTLM and LM-Hash
byAnkit Mehta
 
PDF
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
byAndrea Draghetti
 
PPTX
Kerberos explained
byDotan Patrich
 
PPT
Understanding OpenID
byPrabath Siriwardena
 
PPTX
mimikatz @ rmll
byBenjamin Delpy
 
PDF
CrowdCasts Monthly: Mitigating Pass the Hash
byCrowdStrike
 
PPTX
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
PPT
Access control3
byAwhydot
 
PDF
Offensive Security with Metasploit
byegypt
 
PDF
とりあえずTwitterで日本語を集めてみよう
bys_wool
 
PPTX
Black hat and defcon 2014
byPeter Swedin
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
byBenjamin Delpy
 
mimikatz @ phdays
byBenjamin Delpy
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
byRootedCON
 
mimikatz @ asfws
byBenjamin Delpy
 
Byod in corporate networks - www.omegapoint.us
byPeter Swedin
 
MAITAINING ACCESS
byTensor
 
Backtrak guide
byChildren International
 
NFC attacks
byPeter Swedin
 
Lateral Movement by Default
byInnoTech
 
Kerberos, NTLM and LM-Hash
byAnkit Mehta
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
byAndrea Draghetti
 
Kerberos explained
byDotan Patrich
 
Understanding OpenID
byPrabath Siriwardena
 
mimikatz @ rmll
byBenjamin Delpy
 
CrowdCasts Monthly: Mitigating Pass the Hash
byCrowdStrike
 
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
Access control3
byAwhydot
 
Offensive Security with Metasploit
byegypt
 
とりあえずTwitterで日本語を集めてみよう
bys_wool
 
Black hat and defcon 2014
byPeter Swedin
 

Similar to Golden ticket, pass the ticket mi tm kerberos attacks explained

PPTX
[HUN][Hackersuli] Tickets Please - Kerberos
byhackersuli
 
PDF
Active Directory Golden Ticket Attack Detection
byIRJET Journal
 
PDF
In the Wake of Kerberoast
byken_kitahara
 
PDF
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
byShakacon
 
PDF
Kerberos presentation
byChris Geier
 
PDF
Abusing Microsoft Kerberos - Sorry you guys don’t get it
byE Hacking
 
PDF
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
byFelipe Prado
 
PDF
Technet.microsoft.com
byKurt Kort
 
RTF
Kerberos case study
byMayuri Patil
 
PPTX
SPS Ozarks 2012: Kerberos Survival Guide
byJ.D. Wade
 
PDF
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
PDF
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
byNoSuchCon
 
PDF
Kerberos Security in Distributed Systems
byIRJET Journal
 
PDF
Kerberos survival guide
byJ.D. Wade
 
PPTX
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
byJ.D. Wade
 
PPTX
Kerberos Survival Guide: SharePointalooza
byJ.D. Wade
 
PPTX
Kerberos Survival Guide: Columbus 2015
byJ.D. Wade
 
PPTX
Kerberos Authentication Process In Windows
byniteshitimpulse
 
PPTX
Rakesh raj
byDBNCOET
 
PDF
Mimikatz
byprashant3535
 
[HUN][Hackersuli] Tickets Please - Kerberos
byhackersuli
 
Active Directory Golden Ticket Attack Detection
byIRJET Journal
 
In the Wake of Kerberoast
byken_kitahara
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
byShakacon
 
Kerberos presentation
byChris Geier
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
byE Hacking
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
byFelipe Prado
 
Technet.microsoft.com
byKurt Kort
 
Kerberos case study
byMayuri Patil
 
SPS Ozarks 2012: Kerberos Survival Guide
byJ.D. Wade
 
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
byNoSuchCon
 
Kerberos Security in Distributed Systems
byIRJET Journal
 
Kerberos survival guide
byJ.D. Wade
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
byJ.D. Wade
 
Kerberos Survival Guide: SharePointalooza
byJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
byJ.D. Wade
 
Kerberos Authentication Process In Windows
byniteshitimpulse
 
Rakesh raj
byDBNCOET
 
Mimikatz
byprashant3535
 

Recently uploaded

PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
final.pdf
byomarbishtawi04
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
final.pdf
byomarbishtawi04
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 

Golden ticket, pass the ticket mi tm kerberos attacks explained

  • 1.
    Kerberos attacks explained ….somewhat By Peter Swedin
  • 2.
  • 3.
    • The userAlice logs on to her domain joined client. • Alice then accesses the intranet. • User is greeted with ”Welcome Alice!” without authenticating to the web service. • Kerberos SSO!
  • 4.
  • 5.
    Challenges • KDCvalidation • Replay attacks • Downgrade attacks • Pass-the-ticket attacks
  • 6.
    MitM • AnAttacker can trick the client into believing he is the KDC during the AS negotiation • But in order to create the Service Ticket the attacker has to know the shared secret between the client and the KDC…
  • 7.
    The problem withAS_REQ • During password authentication, AS_REQ is encrypted with a key derived from the password. • Most of AS_REQ is sent in the clear (without server validation), making it possible for man-in- the middle attacks
  • 8.
    The problem withERR PREAUTH REQUIRED • A phony KDC can ask the client to use a weak encryption algorithm (downgrade etype attack) • DES and Windows ”export grade” RC4 are vulnerable to brute-forcing and dictionary attacks • The MITM attacker can manipulate the seed making the key easier to crack
  • 9.
    Platforms vulnerable toetype downgrade attacks • MIT Kerberos v1.7 and below will accept any form of DES • Windows 2008 / Vista and prior will accept any form of DES
  • 10.
    MitM • Whena client computer joins the domain, there is no need for a Service Ticket The attacker can own the client and its identity by acting as a proxy between the real KDC and the client
  • 11.
    Smart card Kerberosauth in pre- Windows 2008R2 domains is vulnerable to MiTM attacks • Windows clients will not check the DC certificate for the EKU (Enhanced Key Usage) id-pkinit-PKPKdc, unless told to do so. • For whatever reason the Server Authentication EKU is considered enough, making every client with a computer certificate a possible MiTM platform.
  • 12.
    Pass-the-Ticket Attack TheAttack The Pass-the-Ticket attack enables an attacker to authenticate to a Windows server using the Kerberos "ticket granting ticket" of a user recently logged into the domain. After previously compromising and gaining privileged access to a computer logged into the domain, the attacker extracts the Kerberos ticket granting ticket and uses it to access all servers the victim is authorized to access.
  • 13.
    Pass-the-Ticket Attack Tools • Tools for the attack include: • Windows Credentials Editor (WCE), • KDE Replay, • Corelab Pass-the-Hash Toolkit, SMBShell • Mimikatz
  • 14.
    The Golden Ticket • Using pass-the-ticket or pass-the-hash, gain Domain administrator privileges • Obtain the NTLM hash from the krbtgt user from a pre-2008R2 Domain Controller • Use Mimikatz to produce fake TGT for any user (even non existing users will work) • Pwnd
  • 16.
    Risk asessment –Kerberos attacks Popularity Low Ease of Implementation Medium/easy Impact high Remotely Exploitable Yes Risk High
  • 17.
    Hardening Microsoft Kerberos • Use ONLY Windows 2012R2 Domain Controllers • Use AES 256 • Disallow etype downgrade • Use Kerberos KDC certificates (requires a 2008 R2 Certificate Authority or later) • Enable the GPO ”Require strict KDC validation” • Only allow clients to join the domain from a separate, secure network segment
  • 18.
    Pass-the-Ticket Defenses Veryhard to detect, since it is a valid protocol doing valid things Change KRBTGT password, TWICE Upgrade to 2012R2 on ALL DCs Or apply patch KB 2871997 (A SIEM solution may be able to determine that the ticket granting ticket is being used inappropriately).
  • 19.

Editor's Notes

  • #22 1. Alice’s attempt to logon with a smart card (PKINIT AS-REQ) is intercepted by Ivan. 2. Ivan sends an AS-REP, with a TGT key, back to Alice, encrypted with her public key. The client principal of the AS- REP and TGT is not set to Alice’s identity, but to Connie’s. (the encryption notation of the AS-REP in the diagram has been simplified for clarity) 3. Alice accepts Ivan’s AS-REP, and makes a TGS-REQ for Wally, to complete her logon. 4. Ivan asks Connie for credentials to Wally. 5. Connie makes an AS-REQ to Bob. 6. Bob gives Connie a TGT. 7. Connie makes a TGS-REQ for Wally. 8. Bob gives Connie his TGS-REP for Wally. 9. Connie decrypts the TGS-REP and sends its contents (Connie’s copy of the session key, and Connie’s ticket to Wally) to Ivan. 10. Ivan forms a TGS-REP for Alice containing the session key received from Connie, and Connie’s ticket to Wally (as originally issued by Bob). 11. Alice receives the TGS-REP. She can decode and extract the session key and ticket. She forms an authenticator and makes an AP-REQ to Wally. 12. Wally decrypts the ticket, validates the authenticator (formed with the same session key in the ticket) and PAC checksum (created by Bob), and creates a logon session for Connie.