Secure Your Active Directory and Windows Domains

6 hours
Medium

Free online content available in this course.

course.header.alt.is_certifying

Got it!

Last updated on 10/31/24

Perform Lateral Movement Using the Kerberos Protocol

Exploit the Kerberos Protocol

The Kerberos protocol is the second key authentication protocol in Active Directory. It’s the default protocol used whenever possible. There are several ways to use this protocol for lateral movement. To get a better understanding of them, let’s take a quick look at how the Kerberos protocol works.

Kerberos

A user needs to provide proof of their identity to the service in order to use it. The user needs to request a TGT (Ticket Granting Ticket) beforehand from the domain controller. A TGT is similar to a passport. It contains information about users, including their name and the groups they belong to. Like a passport, it must be impossible to fake. Users must not have the ability to change their name whenever they want to. TGT is therefore protected by a key that only the domain controller can access.

To retrieve this ticket, users must be preauthenticated with the domain controller, proving they know their password. If the domain controller validates the preauthentication, it returns the TGT.

Diagram of the Kerberos protocol for TGT request: the client pre-authenticates with the domain controller, and the domain controller returns the TGT (Ticket Granting Ticket). — Kerberos Protocol - TGT Request

Once the user has received the TGT, they can request access to any service. To access a specific service, they will have to send another request to the domain controller. They will then submit their TGT and request a ticket for a service. The domain controller then checks if the TGT is valid and has not been modified, and then it sends the user another ticket, which is a service ticket specific to the service requested. This time, the ticket is protected by the associated service account’s password, meaning the password for the account running the requested service. This ticket contains a copy of the user’s TGT.

Diagram of the Kerberos protocol for a service ticket request: the client presents the TGT and requests access from the domain controller. The domain controller returns the service ticket. — Kerberos Protocol - Service Ticket Request

Once the user has received the service ticket, how can they use it? They submit this ticket to the service. The service is protected by the service account password. It receives and opens the password to see who is making a request and to check whether the user has permission to use the service.

Diagram of service ticket usage: the client presents the service ticket to the relevant service. The service verifies permissions, then returns the service ticket to the client. — Using the Service Ticket

Kerberoasting

Once the user receives the TGT, they can request a service ticket for any service in the domain. However, a service ticket is protected by the password of the requested service account. So, in theory, if you request a service ticket, you can attempt to find the key that decrypts the ticket yourself. Just try a lot of different keys, and you may find the right one.

The majority of the services provided by Active Directory are provided by computers with machine accounts. However, the password for a machine account is very long and random. There’s zero chance of happening upon the correct password.

However, sometimes user accounts can also run services. That’s where the Kerberoasting attack comes in. The idea is to request service tickets for all services that are provided by users. For each ticket, you’ll attempt to find the password that protects it. If you succeed, you will have found the password to the relevant account!

A tool from the Impacket collection automates this process. It’s called GetUserSPNs.py.

GetUserSPNs.py -request medic.ex/pixis:P4ssw0rd -outputfile hashes.kerberoast

Legend: Using GetUserSPNs to find Kerberoastable accounts

Once the tickets have been retrieved, the tool will convert them into a format that can be read by tools like hashcat, in order to find the associated password.

hashcat -m 13100 ./hashes.kerberoast /home/pixis/wordlist.txt

Pass-the-Ticket

Remember the pass-the-hash technique you learned with the NTLM protocol? Here, it’s all about tickets, so what you can pass are tickets! If you compromise a machine or a workstation’s admin account, you can try to retrieve and reuse Kerberos tickets from its memory. In fact, if you find the TGT ticket of a different account, you could potentially reuse it to impersonate that account, as long as it hasn’t expired. This technique is known as pass-the-ticket.

Make Use of Other Protocols

In an Active Directory environment, there are many other protocols available to you. Some of them allow you to remotely control a machine, such as SMB, RDP, SSH, WinRM, VNC, WMI, and many others.

If you have login credentials, you can use them to move laterally. Here are some tools that can be used for lateral movement.

You can remotely create and run a service using SMB. A service is nothing more than an application that runs in the background. This is what the psexec tool does when you use it to execute remote commands. This tool has been included in the Impacket collection you are now familiar with. It’s called psexec.py.

psexec.py medic.ex/pixis:P4ssw0rd@dc01.medic.ex

RDP allows you to run a remote desktop on a target machine. It’s like being in front of the screen, but remotely. This is very useful for admin tasks! It’s also useful if you want to access new workstations with compromised login credentials. You can use the Windows RDP client, as well as Linux clients with FreeRDP. Other tools are available, but this one provides an interesting feature that supports using only the NT hash for authentication. This works when an RDP connection is made in Restricted Admin mode, a security feature available in Windows that has the additional benefit of allowing pass-the-hash using the RDP protocol.

freerdp /u:pixis /d:medic.ex /pth:ac1dbef8523bafece1428e067c1b114f /v:dc01.medic.ex

Exploit Network Shares

In closing, network shares are often overlooked or neglected during audits. These provide you with a wealth of information, especially during the reconnaissance phase. In network shares, you’ll often find personal and sensitive documents related to internal projects, application configurations, and more. You might even find their source code and backups.

In the reconnaissance phase, you’ve learned to identify the location of network shares, while finding the shares that are accessible to you. This allows you to manually search for documents that may be useful to your attack phase.

There is another useful tool for the manual search phase that can help you discover sensitive information in the company’s network shares. Snaffler automates a part of the search. It connects to a domain controller and extracts a list of all the computers in the domain. It will contact each computer, list the network shares (if there are any), and then recursively read through them to access all files in all folders. To prevent this from taking too long, a series of filters are used to scan only the files that have the potential to be interesting.

snaffler.exe -s -o snaffler.log

I use Snaffler during my audits, but I also perform a lot of manual searches. For a lot of data, especially company data, it is difficult for an automated tool to determine whether or not the data is critical or sensitive.

Let’s Recap!

In addition to exploiting the NTLM protocol described in the previous chapter, there are several techniques for performing lateral movement within an Active Directory:

Use Kerberoasting to find new login credentials.
Discover sensitive information in network shares.

Lateral movement allows you to discover new login credentials and compromise new machines, but your goal is to compromise the domain. Based on all the information you’ve gathered and the accounts and machines you’ve compromised, you’ll now learn how to elevate your privileges to become a domain administrator.