Scribd
Upload
36 views

Inspecting Kerberos Ticket Requests v1

Uploaded by

6f6c55kpmj
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
36 views

Inspecting Kerberos Ticket Requests v1

Uploaded by

6f6c55kpmj
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Inspecting Kerberos

Ticket Requests

Version: 1.0
Date: 2020
Confidentiality class: Public

1
whoami?
cname: Charlie Clark

realm: Security Consultant @ ZeroDayLab

rtime: IT ~15 years, InfoSec ~5 years

authenticator: OSCP, CRTE, CRT, …

AuthorizationData: Rubeus, PowerUpSQL, impacket, …

Twitter: @exploitph GitHub: @0xe7 Blog: https://exploit.ph

2
Agenda

1. Kerberos 101 5. Fingerprinting abuse tools

2. Common abuses / tools 6. Making Kerberos tickets great again

3. A look at genuine traffic 7. Looking forward

4. Comparison with Rubeus

3
What is Kerberos?

The primary method of authentication between Windows computers on an


Active Directory domain.

Used to share a session key for further communication.

4
Kerberos Most Basic Usage

• Requesting a Ticket Granting Ticket (TGT)

• Using TGT to request service tickets

• We only care about 1 and 3 for this talk

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/b4af186e-b2ff-43f9-b18e-eedb366abf13

5
AS-REQ message type (10)

PA Data section, for pre-authentication and extensions


AS-REQ
Kerberos pre-authentication

Include PAC in AS-REP (TGT)

Request body

Various options for the different message types

Client name (requesting user)

Domain name

Server name (with AS-REQ’s always krbtgt/domain.com)

Valid until and renew times for the resulting TGT

Nonce – random number

Supported encryption types

Addresses, a list, normally just the NetBIOS name of the


requesting machine

6
TGS-REQ message type (12)

TGS-REQ PA Data section TGS-REQ


AP-REQ message type (14)

Requesting users TGT

Authenticator (Encrypted using the TGT session key)

PA PAC Options (Always the same)

Various options for the different message types

Server name (contains the service and host the ticket is for)

Encrypted authorization data – used when requesting service tickets for services on remote hosts

7
Pre-Authentication

• Genuine AS-REQ’s always first send an AS-REQ without pre-authentication

• If the account requires pre-authentication, a second AS-REQ is sent with the


PA-ENC-TIMESTAMP PA-DATA section, which is encrypted with the accounts
password hash

8
Pre-Authentication – Abuse Tools
• While impacket’s getTGT.py automatically sends the first AS-REQ without pre-
authentication, neither Rubeus or kekeo do

9
Encryption Type
• The encryption type used to encrypt most encrypted sections of genuine
Kerberos messages is AES256 (18)

• Rubeus, kekeo and


impacket all support
multiple encryption types
but are often used with
RC4 (23)

• This is the easiest


indicator that one of these
tools is likely in use

10
Rubeus AS-REQ Indicators
• KDC options differ from real traffic with canonicalize
disabled
• Incorrect supported etypes specified, genuine AS-
REQ’s includes 6 supported etypes

Missing
• rtime (renew time) field
• addresses field

11
Rubeus AS-REQ Indicators – Continued
Genuine AS-REQ Rubeus AS-REQ

12
Rubeus TGS-REQ Indicators
• PA DATA does not include the PA-PAC-OPTIONS
field
• KDC options differ from real traffic with
canonicalize disabled
• Incorrect supported etypes specified, genuine TGS-
REQ’s includes 5 supported etypes
• cname field included when not in genuine traffic

Missing
• enc-authorization-data field

13
Rubeus TGS-REQ Indicators - Continued
Genuine TGS-REQ Rubeus TGS-REQ

14
Rubeus TGS-REQ Indicators - Authenticator
Genuine Authenticator Rubeus Authenticator

Unlikely to be monitored for as decrypting all authenticators on the fly would be


a massive overhead

15
Rubeus TGS-REQ Indicators – Unconstrained
Delegation
TGS-REP’s (replies to TGS-REQ’s) will set the ok-as-delegate bit within the
flags field of the enc-part section if the account with the SPN is configured for
unconstrained delegation

This results in a second TGS-REQ for krbtgt/domain.com (a forwardable TGT)


being requested (to include in the connection to the service)

16
AS-REQ Comparison Table
Indicator Genuine Rubeus (asktgt) Kekeo (tgt::ask) Impacket
without pre-auth ✓ ✗ ✗ ✓
kdc-options 40810010 40800010 40800010 50800000
etypes -135, 3, 17, 18, 23, 24 18 17, 18, 23 18
rtime ✓ ✗ ✗ ✓
addresses ✓ ✗ ✗ ✗
till 2037-09-13 02:48:05 2037-09-13 02:48:05 2037-09-13 02:48:05 + 1 day
(UTC) (UTC) (UTC)

17
TGS-REQ Comparison Table
Indicator Genuine Rubeus (asktgs) Kekeo (tgs::ask) Impacket
PA-PAC-OPTIONS ✓ ✗ ✗ ✗
kdc-options 40810000 40800010 40800010 40810010
etypes -135, 17, 18, 23, 24 17, 18, 23, 24 17, 18, 23 3, 16, 18, 23
cname ✗ ✓ ✓ ✗
enc-authorization-data ✓ ✗ ✗ ✗
unconstrained TGS-REQ ✓ ✗ ✗ ✗
till 2037-09-13 02:48:05 2037-09-13 02:48:05 2037-09-13 02:48:05 + 1 day
(UTC) (UTC) (UTC)
authenticator cksum ✓ ✗ ✗ ✗
authenticator cusec ✓ Always 0 Always 0 ✓
authenticator seq- ✓ ✗ ✗ ✗
number

18
S4U2Self TGS-REQ Comparison Table
Indicator Genuine Rubeus Kekeo Impacket
PA-S4U-X509-USER ✓ ✗ ✗ ✗
kdc-options 40810000 40800018 40800018 40810000
etypes -135, 17, 18, 23, 24 17, 18, 23, 24 17, 18, 23 18, 23
cname ✗ ✓ ✓ ✗
till + 15 minutes 2037-09-13 02:48:05 2037-09-13 02:48:05 + 1 day
(UTC) (UTC)
PA USER name-type Enterprise Principal (10) Enterprise Principal (10) NT Principal (1) NT Principal (1)
sname name-type NT Principal (1) NT Principal (1) NT Principal (1) Unknown (0)
authenticator cksum ✓ ✗ ✗ ✗
authenticator cusec ✓ Always 0 Always 0 ✓
authenticator seq- ✓ ✗ ✗ ✗
number

19
S4U2Proxy TGS-REQ Comparison Table
Indicator Genuine Rubeus Kekeo Impacket
PA-PAC-OPTIONS ✓ ✓ ✗ ✓
kdc-options 40830000 40820010 40820010 40830000
etypes -135, 17, 18, 23, 24 17, 18, 23 17, 18, 23 3, 16, 18, 23
cname ✗ ✓ ✗ ✗
till + 15 minutes 2037-09-13 02:48:05 2037-09-13 02:48:05 + 1 day
(UTC) (UTC)
enc-authorization-data ✓ ✗ ✗ ✗
authenticator cksum ✓ ✗ ✗ ✗
authenticator cusec ✓ Always 0 Always 0 ✓
authenticator seq- ✓ ✗ ✗ ✗
number

20
Resolving Differences
ASKTGT
followed by
ASKTGS both
using the new
/opsec flag

21
Resolving Differences – S4U
S4U using the
new /opsec flag

PA-S4U-X509-USER
for the S4U2Self
is still a work in
progress

22
Resolving Differences – Github PR
The PR has been made:

https://github.com/GhostPack/Rubeus/pull/69

The modified version can be pulled from the “opsec” branch of my forked
Rubeus:

https://github.com/0xe7/Rubeus/tree/opsec

23
Further Considerations

Several service tickets are


requested following a
genuine login

Perhaps a login command


for Rubeus to implement this
instead of asktgt for extra
stealth

24
Further Considerations - Continued

Genuine PAC PAC forged with


mimikatz’
kerberos::golden

25
Questions?

26

You might also like