Kerberos attacks explained

….somewhat

By Peter Swedin

Easy authentication

• The user Alice logs on to her domain joined client.

• Alice then accesses the intranet.

• User is greeted with ”Welcome Alice!” without authenticating to the web service.

• Kerberos SSO!

The handshake

Challenges

• KDC validation• Replay attacks• Downgrade attacks• Pass-the-ticket attacks

MitM

• An Attacker can trick the client into believing he is the KDC during the AS negotiation

• But in order to create the Service Ticket the attacker has to know the shared secret between the client and the KDC…

The problem with AS_REQ

• During password authentication, AS_REQ is encrypted with a key derived from the password.

• Most of AS_REQ is sent in the clear (without server validation), making it possible for man-in-the middle attacks

The problem with ERR PREAUTH REQUIRED

• A phony KDC can ask the client to use a weak encryption algorithm (downgrade etype attack)

• DES and Windows ”export grade” RC4 are vulnerable to brute-forcing and dictionary attacks

• The MITM attacker can manipulate the seed making the key easier to crack

Platforms vulnerable to etype downgrade attacks

• MIT Kerberos v1.7 and below will accept any form of DES

• Windows 2008 / Vista and prior will accept any form of DES

MitM

• When a client computer joins the domain, there is no need for a Service Ticket

The attacker can own the client and its identity by acting as a proxy between the real KDC and the client

Smart card Kerberos auth in pre-Windows 2008R2 domains is vulnerable to MiTM attacks

• Windows clients will not check the DC certificate for the EKU (Enhanced Key Usage) id-pkinit-PKPKdc, unless told to do so.

• For whatever reason the Server Authentication EKU is considered enough, making every client with a computer certificate a possible MiTM platform.

Pass-the-Ticket Attack

The AttackThe Pass-the-Ticket attack enables an attacker to authenticate to a Windows server using the Kerberos "ticket granting ticket" of a user recently logged into the domain.

After previously compromising and gaining privileged access to a computer logged into the domain, the attacker extracts the Kerberos ticket granting ticket and uses it to access all servers the victim is authorized to access.

Pass-the-Ticket Attack Tools

• Tools for the attack include: • Windows Credentials Editor (WCE), • KDE Replay, • Corelab Pass-the-Hash Toolkit, SMBShell• Mimikatz

The Golden Ticket

• Using pass-the-ticket or pass-the-hash, gain Domain administrator privileges

• Obtain the NTLM hash from the krbtgt user from a pre-2008R2 Domain Controller

• Use Mimikatz to produce fake TGT for any user (even non existing users will work)

• Pwnd

Risk asessment – Kerberos attacksPopularity Low

Ease of Implementation Medium/easy

Impact high

Remotely Exploitable Yes

Risk High

Hardening Microsoft Kerberos

• Use ONLY Windows 2012R2 Domain Controllers• Use AES 256• Disallow etype downgrade• Use Kerberos KDC certificates (requires a 2008

R2 Certificate Authority or later)• Enable the GPO ”Require strict KDC validation”• Only allow clients to join the domain from a

separate, secure network segment

Pass-the-Ticket Defenses

Very hard to detect, since it is a valid protocol doing valid thingsChange KRBTGT password, TWICEUpgrade to 2012R2 on ALL DCsOr apply patch KB 2871997

(A SIEM solution may be able to determine that the ticket granting ticket is being used inappropriately).

Questions?