Presenting the Kerberos protocol, flaws and mitigation

1. Kerberos attacks explained
….somewhat
By Peter Swedin

2. Easy authentication

3. • The user Alice logs on
to her domain joined
client.
• Alice then accesses the
intranet.
• User is greeted with
”Welcome Alice!”
without authenticating
to the web service.
• Kerberos SSO!

4. The handshake

5. Challenges
• KDC validation
• Replay attacks
• Downgrade attacks
• Pass-the-ticket attacks

6. MitM
• An Attacker can trick the client into believing
he is the KDC during the AS negotiation
• But in order to create the Service Ticket the
attacker has to know the shared secret
between the client and the KDC…

7. The problem with AS_REQ
• During password authentication, AS_REQ is
encrypted with a key derived from the
password.
• Most of AS_REQ is sent in the clear (without
server validation), making it possible for man-in-
the middle attacks

8. The problem with ERR PREAUTH
REQUIRED
• A phony KDC can ask the client to use a weak
encryption algorithm (downgrade etype attack)
• DES and Windows ”export grade” RC4 are
vulnerable to brute-forcing and dictionary attacks
• The MITM attacker can manipulate the seed
making the key easier to crack

9. Platforms vulnerable to etype
downgrade attacks
• MIT Kerberos v1.7 and below will accept any
form of DES
• Windows 2008 / Vista and prior will accept
any form of DES

10. MitM
• When a client computer joins the domain,
there is no need for a Service Ticket
The attacker can own the client and its
identity by acting as a proxy between the real
KDC and the client

11. Smart card Kerberos auth in pre-
Windows 2008R2 domains is
vulnerable to MiTM attacks
• Windows clients will not check the DC
certificate for the EKU (Enhanced Key Usage)
id-pkinit-PKPKdc, unless told to do so.
• For whatever reason the Server
Authentication EKU is considered enough,
making every client with a computer
certificate a possible MiTM platform.

12. Pass-the-Ticket Attack
The Attack
The Pass-the-Ticket attack enables an attacker to
authenticate to a Windows server using the
Kerberos "ticket granting ticket" of a user recently
logged into the domain.
After previously compromising and gaining
privileged access to a computer logged into the
domain, the attacker extracts the Kerberos ticket
granting ticket and uses it to access all servers the
victim is authorized to access.

13. Pass-the-Ticket Attack Tools
• Tools for the attack include:
• Windows Credentials Editor (WCE),
• KDE Replay,
• Corelab Pass-the-Hash Toolkit, SMBShell
• Mimikatz

14. The Golden Ticket
• Using pass-the-ticket or pass-the-hash, gain
Domain administrator privileges
• Obtain the NTLM hash from the krbtgt user
from a pre-2008R2 Domain Controller
• Use Mimikatz to produce fake TGT for any
user (even non existing users will work)
• Pwnd

16. Risk asessment – Kerberos attacks
Popularity Low
Ease of Implementation Medium/easy
Impact high
Remotely Exploitable Yes
Risk High

17. Hardening Microsoft Kerberos
• Use ONLY Windows 2012R2 Domain Controllers
• Use AES 256
• Disallow etype downgrade
• Use Kerberos KDC certificates (requires a 2008 R2
Certificate Authority or later)
• Enable the GPO ”Require strict KDC validation”
• Only allow clients to join the domain from a
separate, secure network segment

18. Pass-the-Ticket Defenses
Very hard to detect, since it is a valid protocol
doing valid things
Change KRBTGT password, TWICE
Upgrade to 2012R2 on ALL DCs
Or apply patch KB 2871997
(A SIEM solution may be able to determine that the
ticket granting ticket is being used inappropriately).

19. Questions?