Kerberos

Kerberos is both an ticket-based Authentication, Authorization and Accountability (AAA) network protocol and a SSO implementation:

  • As an AAA protocol, Kerberos provides a secure method for authenticating clients and servers in a network environment, ensuring that only authorized users and services can access resources.
  • As an SSO implementation, Kerberos enables users to authenticate once and then access multiple services or resources without needing to re-authenticate for each one.

It is the most common ticket system, used for example in on-premise Windows networks.

Kerberos issues tickets that can be presented to various services to gain access, eliminating the need for users to repeatedly enter their credentials.

Context of Kerberos

Kerberos is an open standard.

It was originally developed by MIT (Massachusetts Institute of Technology) and later standardized by the Internet Engineering Task Force (IETF) in RFC 4120.

Description of Kerberos

There are the following network members within a Kerberos system:

  • Kerberos server
  • Client
  • Service Server (SS)

There can be multiples within the same network, including diferent Kerberos servers.

Ticket authentication is a mechanism that employs a third-party entity to provide authentication.

It is based on the existence of these kind of tickets:

  • A service ticket (ST), client-to-server ticket, or client/server ticket is an encrypted message that provides proof that a subject is authorized to access an object. It enables authorization.
  • A Ticket-granting Ticket (TGT) is a ticket that grants service tickets. It enables authentication.
  • Service accounts, unlike standard uses accounts, uses a TGS ticket (TGST) instead of a TGT.

The Kerberos Distribution Center (KDC) is the central authentication authority within the Kerberos system. It maintains the secret keys of all network members.

The Kerberos Authentication Server host the KDC services, and it is sometimes also referred as KDC.

The Kerberos authentication server services are:

  • Authentication service (AS)
  • Ticket-granting service (TGS)

TGS validates the ticket-granting ticket (TGT) and the user’s rights to access the service they are requesting to used. It is sometimes hosted on another server.

Take note that users do not communicate directly to KDC, and do it through the server services instead.

A Kerberos principal is a user that requests a ticket.

A Kerberos realm is the logical area (such as a domain or a network) ruled by Kerberos.

Kerberos relies on properly synchronized time on each end of a connection to function. It is recommended to use a network time protocol (NTP) server.

Kerberos requires a database of accounts, typically a directory service. You can read more about directory services on this post.

The system is based on timestamps, so it is important that all elements are synchronize. The use of a NTP server is recommended.

Kerberos preauthentication is a security feature on Kerberos that help preventing password-guessing attacks. Kerberos users could have preauthentication enabled or disabled.

A keytab (short for “key table”) stores long-term keys for one or more principals. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain initial credentials for client applications.

Kerberos Authentication Process

Kerberos authentication process:

  1. User provides authentication credentials
  2. Client/TGS key generated
  3. TGT generated
  4. Client/server ticket generated
  5. User accesses service

1. User provides authentication credentials

User enters username a password in the Kerberos client.

The Kerberos client encrypts the username and password prior to sending it to the AS, by using the symmetric encryption method AES. The encryption key is the hash of the user password.

This implies that anyone that knows the hash of the password could try to impersonate the person on the first instance.

2. Client/TGS key generated

The AS uses the user’s password that it stores to generate a hash and then uses that hash to encrypt a symmetric key. This key is called session key, session key encryption key (KEK) or client/TGS key.

3. TGT generated

The KDC generates an encrypted time-stamped TGT generated.

It transmists both the client/TGS key and the TGT to the client.

The client needs to accept the TGT for use until it expires and must also decrypt the client/TGS using a hash of the user’s password that was previously entered.

The client/TGS key will be used from now on to encrypt messages for the KDC and communicate with it privately.

4.Client/server ticket generated

The client sends the TGT to the TGS (that may be a different server than the AS) to request access to a resource.

The TGS verifies that the TGT is valid and check the access control matrix to verify that the user has authorization for the requested service.

If everything is fine, the TGS generates the client-to-server ticket (or service ticket) and the session keys and send them to the Kerberos client.

5. User accesses services

The user connects to a service ticket to the service server (SS) hosting the resource, and it sends these two messages:

  • The client-to-server ticket or service ticket, encrypted using the service’s secret key (that was only known by the KDC)
  • A new authenticator, including the client ID and timestamp that is encrypted using the client/server session key

The server verifies the validity of the service ticket, and extract all the required info from it.

Kerberos Weaknesses

Kerberos weaknesses:

  • The KDC is a single point of failure
  • If you have access to KDC, you have access to all accounts
  • It is susceptible to password guessing

Kerberos Exploitation Attacks

There are different exploitation attacks on Kerberos:

  • Pass the hash
  • Overpass the hash
  • Pass the ticket
  • Silver ticket
  • Golden ticket
  • Kerberos Brute-Force
  • Kerberoastin
  • ASREPRoast

Pass the Hash

Pass the hash (PtH) is an exploit on Windows systems that uses NT LAN (NTLM) or Kerberos authentication protocols, and means obtaining the hash and using it to impersonate a user.

The hashes may be obtained from the lsass.exe process in Windows systems with NTLM enabled or by sniffing.

The most famous tool to exploit authentication protocols in Windows of PtH or pass the ticket is the free and open source software (FOSS) Mimikatz.

Overpass the Hash

Overpass the hash, sometimes called pass the key (PTK), is an exploit on Windows systems used when NTLM is disabled in the network, but Kerberos is still available.

The NTLM hash should be found anyway, for example, knowing that NTLM hash is stored in memory even when NTLM is disabled in the network.

The NTLM hash is used against the Kerberos server to obtain the TGT, and then other services can be accessed.

Pass the Ticket

Pass the ticket is an exploit on Windows systems where the attacker harvests tickets held in the process lsass.exe and uses them.

Note that in this case tickets are directly harvested, not hashes.

Silver Ticket

Silver ticket is an exploit on Windows systems where the hash from a service account is captured.

This hash is used to create a TGST.

Golden Ticket

Golden ticket is an exploit on Windows systems where the hash from the Kerberos service account (KRBTGT) is captured. It allows to attacker to create ticket within the directory service or network at will.

Kerberos Brute-Force

Kerberos brute-force means trying all possible username and/or passwords to log-in successfully.

Tools to exploit this attack are Python script kerbrute.py on Linux systems or Rubeus on Windows systems.

Kerberoastin

Kerberoastin implies collecting encrypted TGSTs and crack them offline.

ASREPRoast

ASREPRoast implies identifying users that do not have Kerberos preauthentication enabled, send an authentication request for this user to the KDC, and receive a TGT encrypted with the client’s password as the key.

These TGTs can be cracked offline.

Examples of Uses of Kerberos

Kerberos is used on the on-premise version of Microsoft Active Directory Domain Service (AD DS) and Windows OS.

You might also be interesed in…

External References

  • Kerberos
    • Chapman et al; “CISSP Official Study Guide 9th Edition”; Wiley, 2021
  • Kerberos attacks
    • Chapman et al; “CISSP Official Study Guide 9th Edition”; Wiley, 2021
    • Eloy Pérez; “Cómo atacar Kerberos“; Black Arrow

Leave a Reply

Your email address will not be published. Required fields are marked *