Kerberos Trust Pipeline and Abuse

security Sep 26, 2019

Visuals for Kerberos authentication in Active Directory. These are excerpts taken from my Derbycon presentation.

Will add more later :)


Kerberos Trust Pipeline
  1. AS-REQ: authentication service request to a domain controller
  2. AS-REP: authentication service reply from a DC containing the TGT (if auth successful) encoded/signed by the krbtgt hash
  3. TGS-REQ: a ticket-granting service ticket request with the user’s TGT
  4. TGS-REP: a ticket-granting service ticket is sent containing a service ticket
Detailed Trust Pipeline
  1. A user hash is sent to a domain controller (DC)
  2. Ticket Granting Ticket (aka auth token) is encoded with krbtgt (Kerberos ticket-granting service) hash
  3. Validated user requests access to computer or resource
  4. If valid, the DC sends back a service ticket that is encoded with a server hash
  5. A service ticket for a service or resource is sent with the encoded service account hash

Abuse :)

Overpass-the-Hash

Golden Tickets

Pipe 2: Use krbtgt hashto forge TGTs.

Silver Tickets

Pipe 5: Use service account hash to forge a service ticket.

Full deck: https://drive.google.com/file/d/1Q7SPz7cMa1YqMtJT4JoIfoJXECoobcA1/view

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.