From aldeid
Jump to navigation Jump to search

What is Kerberos?

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Kerberos vs NTLM

The Kerberos protocol is not a Microsoft invention, but Microsoft integrated their version of Kerberos in Windows2000, and it is now replacing NT Lan Manager (NTLM), which was a challenge-response authentication protocol.

Kerberos benefits from a stronger encryption, which improves the security as compared to NTLM.

Kerberos attacks

Attack Description Tool
Pass-the-ticket the process of forging a session key and presenting that forgery to the resource as credentials
Pass-the-hash authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. Pass-The-Hash
Overpass The Hash/Pass The Key (PTK) GetTGT
Pass The Ticket (PTT) mimikatz, rubeus, impacket
Golden Ticket A ticket that grants a user domain admin access mimikatz, rubeus, impacket
Silver Ticket A forged ticket that grants access to a service mimikatz, rubeus, impacket
Brute force automated continued attempts to guess a password kerbrute, rubeus
Encryption downgrade with Skeleton Key Malware A malware that can bypass Kerberos, but the attack must have Admin access
DCShadow attack a new attack where attackers gain enough access inside a network to set up their own DC to use in further infiltration
ASREPRoast AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication. Impacket/GetNPUsers, rubeus
Kerberoasting Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection. (More info) Impacket/GetUserSPNs, rubeus