Kerberos and Tickets

by | Jul 16, 2022 | Uncategorized | 0 comments

What is Kerberos?

Kerberos is a built-in protocol used by Microsoft for domain environment authentication. Kerberos is built entirely on trust, which, if broken, it can be violated. This article will show Kerberos and how we can exploit it.

Kerberos is an authentication method that uses tickets to grant users access to domain-based services and resources. As it allows authentication over insecure networks while confirming the identity of the user.

 It only works with a domain name, while direct connections via IP are made with NTLM. It has been the default authentication technique in a domain environment since Windows Server 2000.

Different terminologies

KDC: The Key Distribution Server, sometimes known as the DC, is the server in charge of the Kerberos authentication process. Kerberos can be configured on a Linux server as well.

TGT: The Ticket Granting Ticket is a certificate encrypted with the private key of the KDC. Only the KDC has the logic to decrypt it.

TGT is a password-less authentication method.

TGS: The ticket provides a service provider is a certification server placed in the KDC that is in charge of distributing service tickets to users for them to access the service provider.

krbtgt: It is a unique account used to create and sign TGTs. And If the security of the organization is breached, the overall security of the organization is put at risk.

How does it work?

Authentication Server: The client approaches the KDC and expresses a desire for a TGT for future needs. The server authenticates the client and returns a TGT that has been signed with its key.

TGT storage: The client stores the TGT in a special place in the memory that will be erased if the user logs out. When the TGT expires, the client requests a new one.

TGT Request: When a client requires a service or a resource, such as a network share, it sends a request to the appropriate TGS while authenticating with the TGT.

TGT Response: The KDC validates that the TGT was signed with its own key before generating a TGS signed with the service provider’s key. The TGS can only be used once.

Service Request: By sending a TGS signed with the service provider’s key that only it and the KDC have, the service provider can authenticate the client without a user and password.

Kerberos Attacks

Kerberoasting: This technique is used when brute-forcing the password of a ticket generated for a service running with the permission of a user account.

Pass The Attack: PTT is a technique similar to Pass The Hash that uses stolen Kerberos tickets to authenticate with a service provider. Because tickets are not reauthenticated, they can be reused by malicious actors.

Golden Ticket: When a krbtgt account is compromised, an attacker can use it to generate custom certificates that are trusted even if the facts are completely false.

AS-REP Roasting: It is an attack that abuses disabled pre-authentication settings for accounts that require an AS response to brute-force their passwords.

What is Kerberoasting?

TGS is encrypted with the service account’s NT hash. A service’s owner can be a computer that operates the service or a conventional domain account. A Kerberoasting attack uses brute-force to crack TGS and obtain the service account password.

Choosing a Target

Because of the strong generated passwords, Kerberoasting is basically worthless against computer accounts. Services that employ user accounts, and on the other hand, are significantly easier to brute-force.

To identify services running with user accounts, setspn -T [domain] -Q */* can be used. The command will output all SPNs for the services and the user running them.

Generating a Request

Typically, tickets are generated through GUI activities, but they can also be rendered manually.

The system.IdentifyModel this command is used in the PowerShell library and contains the required functions to request a ticket.

A user does not always need access to the service in order to request a ticket. The Service Principal’s name is required as the lone parameter to the KerberosRequestorSecurityToken function.

Although tickets are only retained in memory, they can still be seen. And the klist command can be used to view the tickets. With klist/purge, you can also erase the tickets from memory.

Extracting Tickets

Tickets can be extracted from memory using Mimikatz. Executing the Kerberos::list/export command will result in kirbi files corresponding to the tickets.

Kerberos::list does not need to be elevated and can simply take the running user’s tickets.

If traffic was observed when the ticket was issued, the network could also recover tickets. The TGS-REP should be present in the network capture if a ticket is sent. The other packets are irrelevant. Using special Python scripts, the tickets can be extracted to files.

Cracking Tickets

A brute-force or dictionary assault can be used to crack tickets. After using invoke-kerberoast to extract the TGS, Hashcat or John may be used to crack it.

 Cracking the password for the service account, a privileged domain account can be obtained.

AS-REP Roasting

AS-REP Roasting occurs when an authentication server can grant TGT to an account without the authentication set by default.

The account setting “Do not require Kerberos preauthentication” will disables preauthentication with the AS. An attacker can request TGT for these accounts and then brute-force the TGT offline.


Rubeus can help perform various Kerberos attacks similar to Mimikatz. The utility may acquire all accounts without requiring Kerberos preauthentication using a ldap query.

The tool will then request TGTs for all accounts and save them to a file.

Pass the Ticket Attack

What are Pass the Ticket Attacks?

Pass the Ticket is a technique of authenticating to systems using Kerberos tickets without knowing the password of an account.

Kerberos tickets can be used to authenticate stations, not within a domain. Passwords and users are not validated because Kerberos is based solely on trust and ticketing.

Mimikatz with Kerberos::ppt[ticket] can be used to load Kerberos tickets back into memory.

After loading a ticket, it can be tested for the current session using Kerberos::tgt. TGS can be loaded similarly, but it is far less efficient owing to time constraints.

Breaching the Domain

If an attacker acquires lateral access to a domain controller, it can use the krbtgt credentials to create tickets.

Due to password redundancy, krbtgt’s password must be reset twice to regain trust. The tickets may contain fake or real information and will still be valid from the domain’s point of view.

Golden Vs Silver Ticket

Golden TicketSilver Ticket
Golden Tickets for domains can be obtained by utilizing the key distribution service account, krbtgt.For services that employ Kerberos as an authentication mechanism, Silver Tickets can be obtained.
The approach use krbtgt’s NTLM hash, which permits the production of TGTs for any Active Directory account.They are used to produce tickets for access to certain system resources that host the service.
By default, Domain Controllers can accept tickets for a period of 10 years.Silver tickets are less common because they necessitate the compromise of service accounts. Golden tickets are most typically utilized as system backdoors.

Getting krbtgt

To get the krbtgt user’s hash, domain admin credentials are needed. It is then possible to either log in to the domain or synchronize with the DC.

If a ticket’s password is cracked, it will be possible to rewrite the ticket and use it for PTT attacks.

The Golden Ticket Requirement

Domain Name: The correct domain name must be specified to create a valid ticket.

SID: The security object ID for a domain, a unique identifier.

A SID comprises an identifier and a user ID, of which only the first is needed.

Example: S-1-5-21-2802611573-2998842152-719546879

krbtgt Hash: The hash can be obtained by performing a desync or logging in to the DC and performing credential dumping.

User Information: It is provided in the ticket. The information can be legitimate or wholly made up.

ID: The ID of the user that is part of the SID. The recommended value is 500.

Creating a Golden Ticket

The creation of a golden ticket is done using the command Kerberos::golden. The essential parameters are /krbtgt:[hash] and /sid:[sid].

The remaining parameters are /user:[user], /id:[id],/group:[groups] and /domain:[domain]. Golden tickets are typically created with a 10-year lifespan.

Fake Tickets

A bogus ticket might contain any type of information. However, it is advised that the user be added to the various domain groups to assign privileges.

Typical groups include 500 and 520, which are domain administrators and enterprise administrators, respectively. When a ticket is loaded into memory, commands with elevated privileges are available.

For instance, folders in the DC, usually permitted only to domain admins, can now be accessed.

NTDS.dit Manual Extraction

Domain File Sync is a program that collects files from a computer, including the NTDS.dit file.

The directory replication service remote protocol (MS-DRSR) is a good service in a network setting. Domain file sync can be done in several ways, with and without custom tools.

It is often used when a new domain controller joins the network and needs a copy of the existing entries.