What is Kerberos ?

This is the default authentication service for Windows domains.Its intended to be more secure than NTLM by using third party ticket authorization as well as stronger encryption.Even though NTLM has a lot more attack vectors to choose from Kerberos still has a handfull of problems just like NTLM that we can exploit.

Common Terms →

Ticket Granting Ticket (TGT) - Is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.

Key Distribution Center (KDC) → Is a service issuing TGTs and Service Tickets that consists of the Authentication service and the ticket granting service.

Authentication Service → This issues the TGTs to be used by the TGS in the domain to request access to other machine and service tickets.

Ticket Granting Service → This takes the TGT and returns a ticket to the machine on domain.

Service Prinicipal Name (SPN) → Is an identifier given to a service instance to assosciate a service instance with a domain service accounts.Windows requires that services have a domain service account which is why a service needs an SPN set.

KDC Long Term Secret Key → This is based on the KRBTGT service account .Its used to encrypt the TGT and sign the PAC.

Client Long Term Secret Key (Client LT Key)- The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.

Service Long Term Secret Key (Service LT Key)- The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.

Session Key - Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.

Privilege Attribute Certificate (PAC) - The PAC holds all of the user's relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.

AS-REQ w/ Pre-Authentication In Detail

The AS-REQ step in kereberos authentication starts when a user requests a TGT from the KDC. In order to validate the user and create a TGT for the user,the KDC must follow these exact steps.The first step is for the user to encrypt a timesteamp NT hash and send it to the AS.The KDC attemps to decrypt the timestamp using the NT hash from the user, if successful the KDC will issue a TGT as well as a session key for the user.

Ticket Granting