Intro to Kerberos
March 20, 2021
by zjxy

Intro to Kerberos

Kerberos is a rather complex topic. It contains many of some the more well-known abuse primitives within Active Directory environments, It can also be a bit elusive as to how it works since it has so many intricacies. I will be trying to make this into a sort of series, as it would be near impossible for me to fully cover the topic of Kerberos in a single post. So the goal of this upload, is to give a brief explanation of what's going on under the hood, so we can better understand exactly what we're trying to do when we attempt to abuse this technology.

Depicted below is representation of the Kerberos authentication flow.

There's a couple things happening in this example so I will try my best to break this down.

To begin, we have to understand that Kerberos has 2 types of authentication requests that can be made.

We have TGT, and TGS requests, which are AS-REQ and TGS-REQ, respectively.

For each of these requests, there is a corresponding response, which are known as (AS-REP), and (TGS-REP).

These requests are made to a computer that is known as the Key Distribution Center (KDC), aka Domain Controller.

The key difference to understand between TGTs and TGSs, is that TGTs are issued to clients as authentication to the network, while TGS on the other hand, is issued to clients as authentication to services.

I'll explain services in this post very shortly.

That may sound a bit confusing so I've prepared an example to hopefully help it make more sense:

Here we have Bob. When Bob gets to work, he needs to first login to his workstation when he turns his computer on. He then needs to check on a customers account he was working on the day prior.

When Bob enters his credentials to log into the workstation, he's requesting a TGT because he is trying to logon to the network. This TGT request is made using a secret key that's derived from Bob's password.

The KDC will then receive Bob's TGT request, and verifies the secret key with the password it has stored in Active Directory for Bob. Once validated, it returns the TGT in an AS-REP response. This TGT contains the user's identity and is encrypted using the KDC secret key (This is the krbtgt account)

Bob is now logged onto the corporate network.

Now, after he's logged in, let's say Bob needs to access a specific file share or application in order to get the customer's account information that he was working on previously.

Bob is now attempting to access a resource that is backed by Kerberos authentication. We can refer to this as a service.

What happens now is that Bob's machine is going to look up the associated Service Principal Name (SPN) for this service. It then requests a (TGS-REQ) Ticket Granting Service Ticket (TGS) for that service from the KDC. In order to do this, It will presents its TGT as a means of proving that they are a valid user.

It is very import to note that this happens after the user has logged in! We need a user to act of behalf of in order to gain access to the service.

The KDC will then return a TGS (TGS-REP) for the service in question to the user, which is then presented to the actual service. The service inspects the TGS and decides whether it should grant the user access or not.

That is a very basic example of how Kerberos works in an Active Directory environment. These fundamentals are essential to understand if we want to be able to confidently abuse this technology. My next post will be diving into some of the different ways we can take advantage of this.