Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin(1)
03.01.2015 Views
Share Embed Flag

Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin(1)

Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin(1)

Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin(1)

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
securityartwork

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 1

Code:<br />

https://github.com/nidem/kerberoast<br />

Slides:<br />

https://www.dropbox.com/s/d7xpwdu8cvq<br />

149s/Kerberoastv2.pdfdl=0<br />

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 2

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 3

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 4

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 5

Level <strong>of</strong> Access<br />

Full Domain<br />

Compromise<br />

Golden Ticket<br />

Initial<br />

Compromise<br />

Ticket Rewriting<br />

Kerberoast/Mimikatz<br />

Kerberoast Cracking<br />

No Access<br />

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 6

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 7

I'm <strong>Tim</strong>, and I need to<br />

au<strong>the</strong>nticate to something. Here<br />

is a request encrypted using my<br />

password hash<br />

I can decrypt your<br />

communication using<br />

your NTLM hash. Here is<br />

a TGT encrypted with<br />

your NTLM Hash<br />

KDC<br />

Key Distribution Center<br />

(Windows Domain Controller)<br />

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 8

I need to au<strong>the</strong>nticate to a<br />

service via <strong>Kerberos</strong>. Can<br />

I get a ticket for ano<strong>the</strong>r<br />

service. Here is my TGT to<br />

verify my identity<br />

Sure, here it is. I don't check<br />

if you have permissions on<br />

<strong>the</strong> target service. I leave<br />

that up to <strong>the</strong> service. I have<br />

enough to do.<br />

KDC<br />

Key Distribution Center<br />

(Windows Domain Controller)<br />

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 9

Here is some stuff I<br />

can't read, but <strong>the</strong><br />

KDC says this should<br />

verify me.<br />

I can decrypt this ticket and<br />

<strong>the</strong> HMAC signature using my<br />

hash as <strong>the</strong> key is good. I see<br />

your user info in this ticket, but<br />

before I authorize you I may*<br />

need to verify <strong>the</strong> details<br />

O<strong>the</strong>r Server<br />

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 10

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 11

I need to talk to <strong>the</strong><br />

mail server on<br />

cliff.medin.local<br />

Before I can send<br />

a ticket I need to<br />

encrypt it using<br />

<strong>the</strong> target<br />

server's hash Service Account<br />

MAIL/cliff.medin.local<br />

mailsvc<br />

KDC<br />

HTTP/charlotte.medin.local<br />

MSSQL/db01.medin.local<br />

websvc<br />

sqlengine<br />

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 12

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 13

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 14

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 15

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 16

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 17

Here is my TGT,<br />

Can I get a ST for<br />

Sql01<br />

Web01<br />

Mail01<br />

…<br />

Sure thing! Your TGT<br />

looks good. The<br />

services will authorize<br />

you, not me. I can't<br />

keep track <strong>of</strong> all that<br />

18

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 19

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 20

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 21

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 22

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 23

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 24

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 25

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 26

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 27

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 28

Service's Hash<br />

Inject Straight into RAM (hidden feature)<br />

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 29

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 30

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 31

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 32

<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 33

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!