Kerberos and LDAP-Based Attacks

Kerberos is used by Windows and other operating systems, there are three key components:

• Client

• Server

• Key Distribution Center (KDC), including the authentication server and ticket-granting server.

The basic steps for Kerberos authentication are:

1. Client sends request to authentication server in KDC.

2. Authentication server sends a session key and TGT (Ticket-granting Ticket) to verify identity.

3. Client sends the TGT to ticket-granting server.

4. Ticket-granting server generates and sends a ticket to client.

5. Client presents ticket to server.

6. Server grants access to client.

AD used LDAP as an access protocol, Windows LDAP supports Kerberos authentication. One of the most common attacks against this is the golden ticket attack. This is used to manipulate Kerberos tickets based on available hashes. If the system is connected to a domain, a KRBTGT password hash can be used to get the golden ticket.

A silver ticket attack is another common attack. Silver tickets are forged service tickets for a particular service on a particular server. To create a silver ticket, you need the system account, security identifier for domain, the FQDN, and the given service.

Kerberoasting is another attack that can be used post-exploit to extract service account credential hashes from AD for offline cracking. Can be effective because no IP packets or domain admin credentials are needed.