Visuals for Kerberos authentication in Active Directory. These are excerpts taken from my Derbycon presentation.

Will add more later :)

Kerberos Trust Pipeline

  1. AS-REQ: authentication service request to a domain controller
  2. AS-REP: authentication service reply from a DC containing the TGT (if auth successful) encoded/signed by the krbtgt hash
  3. TGS-REQ: a ticket-granting service ticket request with the user’s TGT
  4. TGS-REP: a ticket-granting service ticket is sent containing a service ticket
Detailed Trust Pipeline
  1. A user hash is sent to a domain controller (DC)
  2. Ticket Granting Ticket (aka auth token) is encoded with krbtgt (Kerberos ticket-granting service) hash
  3. Validated user requests access to computer or resource
  4. If valid, the DC sends back a service ticket that is encoded with a server hash
  5. A service ticket for a service or resource is sent with the encoded service account hash

Abuse :)


Pipe 1: Compromise the user hash ‌‌and receive a Ticket Granting Ticket (TGT). 

Golden Tickets

Pipe 2: Use krbtgt hash to forge TGTs.

Silver Tickets

Pipe 5: Use service account hash to forge a service ticket.

Full deck: