Controlling and monitoring Access Flashcards
Kerberos Definition
Authentication system that uses ticketing.
Uses symmetric key encryption for confidentiality and integrity of communications.
Kerberos System Components
Key distribution center (KDC): Trusted third party that provide authentication services. All clients and servers are registered with the KDC
Kerberos Authentication Server: Hosts the KDC services: Ticket Granting Service (TGS) and Authentication Service (AS).
Ticket: Encrypted message that provides proof a subject is authorized to access an object. (AKA Service Ticket)
Ticket Granting Ticket (TGT): Encrypted message providing proof subject has authenticated through the KDC and is authorized to request tickets to access objects. Contains symmetric key, IP address and expiration date.
Kerberos Principle: An entity (typically a user) that can be granted it ticket
Kerberos Realm: A logical area such as domain that is controlled by Kerberos.
Kerberos Login Process (6 steps)
- Enter credentials
- Client sends encrypted credentials to KDC
- KDC verified credentials
- KDC creates symmetric key hashed with user’s password. It also creates timestamped encrypted TGT.
- KDC sends symmetric key and TGT to client
- Client installs TGT until it expires and decrypts using hash of user password.
Kerberos Object Access Process
- Client sends TGT to KDC with request to access a resource
- KDC verifies TGT and checks access list to see if subject is authorized to access object
- KDC generates service ticket and sends to client
- Client sends service ticket to server/service hosting object for access
- Server/service verified validity of service ticket with KDC
- Once identity and authorization is verified by KDC and service, access is granted to subject.
Pass the Hash
?
Overpass the Hash
Attacker requests a TGT with the user’s hash and use this to access network resources. Used when NTLM is disabled on network and Pass the Hash is not available. also called pass the key
Pass the Ticket
Try to harvest tickets from lsass.exe and then inject them into a user to attempt impersonation.
Silver Ticket
Captures NTLM hash from a service account to create a ticket granting service ticket. Gives hacker same access as service account.
Golden Ticket
Steals hash of the KRBTGT kerberos service account. Can create tickets at will.
Kerberos Brute-force
used to guess usernames and passwords. kerberos reports if they are valid.
ASREPRoast
Identifies users that don’t have kerberos pre-authentication enabled. C
ASREPRoast
Identifies users that don’t have kerberos pre-authentication enabled.
Kerberoasating
Collects TGTs or TGSs and tries to decrypt them offline.