Kerberos Trust Pipeline and Abuse

security Sep 26, 2019

Visuals for Kerberos authentication in Active Directory. These are excerpts taken from my Derbycon presentation.

Will add more later :)

Kerberos Trust Pipeline
  1. AS-REQ: authentication service request to a domain controller
  2. AS-REP: authentication service reply from a DC containing the TGT (if auth successful) encoded/signed by the krbtgt hash
  3. TGS-REQ: a ticket-granting service ticket request with the user’s TGT
  4. TGS-REP: a ticket-granting service ticket is sent containing a service ticket
Detailed Trust Pipeline
  1. A user hash is sent to a domain controller (DC)
  2. Ticket Granting Ticket (aka auth token) is encoded with krbtgt (Kerberos ticket-granting service) hash
  3. Validated user requests access to computer or resource
  4. If valid, the DC sends back a service ticket that is encoded with a server hash
  5. A service ticket for a service or resource is sent with the encoded service account hash

Abuse :)


Golden Tickets

Pipe 2: Use krbtgt hashto forge TGTs.

Silver Tickets

Pipe 5: Use service account hash to forge a service ticket.

Full deck:

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.