Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin(1)
Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin(1)
Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin(1)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 1
Code:<br />
https://github.com/nidem/kerberoast<br />
Slides:<br />
https://www.dropbox.com/s/d7xpwdu8cvq<br />
149s/Kerberoastv2.pdfdl=0<br />
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 2
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 3
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 4
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 5
Level <strong>of</strong> Access<br />
Full Domain<br />
Compromise<br />
Golden Ticket<br />
Initial<br />
Compromise<br />
Ticket Rewriting<br />
Kerberoast/Mimikatz<br />
Kerberoast Cracking<br />
No Access<br />
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 6
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 7
I'm <strong>Tim</strong>, and I need to<br />
au<strong>the</strong>nticate to something. Here<br />
is a request encrypted using my<br />
password hash<br />
I can decrypt your<br />
communication using<br />
your NTLM hash. Here is<br />
a TGT encrypted with<br />
your NTLM Hash<br />
KDC<br />
Key Distribution Center<br />
(Windows Domain Controller)<br />
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 8
I need to au<strong>the</strong>nticate to a<br />
service via <strong>Kerberos</strong>. Can<br />
I get a ticket for ano<strong>the</strong>r<br />
service. Here is my TGT to<br />
verify my identity<br />
Sure, here it is. I don't check<br />
if you have permissions on<br />
<strong>the</strong> target service. I leave<br />
that up to <strong>the</strong> service. I have<br />
enough to do.<br />
KDC<br />
Key Distribution Center<br />
(Windows Domain Controller)<br />
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 9
Here is some stuff I<br />
can't read, but <strong>the</strong><br />
KDC says this should<br />
verify me.<br />
I can decrypt this ticket and<br />
<strong>the</strong> HMAC signature using my<br />
hash as <strong>the</strong> key is good. I see<br />
your user info in this ticket, but<br />
before I authorize you I may*<br />
need to verify <strong>the</strong> details<br />
O<strong>the</strong>r Server<br />
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 10
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 11
I need to talk to <strong>the</strong><br />
mail server on<br />
cliff.medin.local<br />
Before I can send<br />
a ticket I need to<br />
encrypt it using<br />
<strong>the</strong> target<br />
server's hash Service Account<br />
MAIL/cliff.medin.local<br />
mailsvc<br />
KDC<br />
HTTP/charlotte.medin.local<br />
MSSQL/db01.medin.local<br />
websvc<br />
sqlengine<br />
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 12
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 13
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 14
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 15
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 16
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 17
Here is my TGT,<br />
Can I get a ST for<br />
Sql01<br />
Web01<br />
Mail01<br />
…<br />
Sure thing! Your TGT<br />
looks good. The<br />
services will authorize<br />
you, not me. I can't<br />
keep track <strong>of</strong> all that<br />
18
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 19
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 20
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 21
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 22
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 23
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 24
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 25
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 26
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 27
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 28
Service's Hash<br />
Inject Straight into RAM (hidden feature)<br />
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 29
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 30
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 31
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 32
<strong>Attacking</strong> <strong>Kerberos</strong>: <strong>Kicking</strong> <strong>the</strong> <strong>Guard</strong> <strong>Dog</strong> <strong>of</strong> <strong>Hades</strong> – ©2014 <strong>Tim</strong> <strong>Medin</strong> - @timmedin 33