SEC560.5 domain domination and Azure annihilation

Question 1

Three components of Kerberos

Answer 1

1. KDC (key distribution center)
2. Client (requesting services)
3. Service (Service Principal Name)

Question 2

SPN

Answer 2

Service Principal Name

Question 3

Each party in a Kerberos environment _______ to the Kerberos server and receives a __________

Answer 3

1. Authenticates
2. TGT (ticket granting ticket)

Question 4

If Kerberos can’t be used, Windows will fall back to _____

Answer 4

NTLM v1/v2

Question 5

Primary authentication mechanism in the Microsoft Active Directory domain

Answer 5

Kerberos

Question 6

Kerberos allows a _________ and _________ to authenticate over an _________ _________ channel

Answer 6

Client
Server
Insecure
Network

Question 7

KDC

Answer 7

Key distribution center

Question 8

SPN is an exclusive term to _________

Answer 8

Kerberos

Question 9

The AS (_________ _________) is a logical role on the _________ _________

Answer 9

Authentication server
Domain controller

Question 10

TGS

Answer 10

Ticket granting service

Question 11

Another logical role of the KDC/DC:

Answer 11

TGS (ticket granting service)

Question 12

What is sent by the client in the (first) pre-authentication step for Kerberos authN?

Answer 12

User’s workstation sends AS-REQ to the AS

Question 13

What does the AS-REQ include?

Answer 13

Timestamp encrypted with user’s NT hash

Question 14

How does KDC verify AS-REQ?

Answer 14

Has user’s password hash in db and will attempt to decrypt the message

Question 15

What happens if KDC can verify AS-REQ?

Answer 15

If timestamp still valid, client is given TGT by the TGS (AS-REP)

Question 16

The client first receives a TGT for the _______ service and can be used to ________________________

Answer 16

krbtgt

Request other tickets

Question 17

PAC

Answer 17

Privileged attribute certificate

Question 18

KDC long-term secret key usage (1)

Answer 18

Encrypt TGT (AS-REP)

Question 19

KDC long-term secret key usage (2)

Answer 19

Sign PAC

(AS-REP and TGS-REP)

Question 20

Client long-term secret key usage (1)

Answer 20

Check encrypted timestamp (AS-REQ)

Question 21

Client long-term secret key usage (2)

Answer 21

Encrypt session key (AS-REP)

Question 22

Target (SPN) long-term secret key usage (1)

Answer 22

Encrypt service portion of the ST (TGS-REP)

Question 23

Target (SPN) long-term secret key usage (2)

Answer 23

Sign PAC (TGS-REP)

Question 24

KDC long-term secret key is the password hash of the ________ service account

Answer 24

krbtgt

Question 25

Client long-term secret key is the _______ _________ of the ________ acct

Answer 25

password hash

Client

Question 26

Most risky Kerberos long term secret key to compromise

Answer 26

KDC long-term secret key

Question 27

Advantage of compromising KDC long-term secret key

Answer 27

Can recreate TGTs and sign PACs, allowing us to obtain all privileges within the domain

Question 28

PAC contains

Answer 28

user’s authorization and privileges

e.g., group memberships

Question 29

With ______ hash, it’s possible to forge _____ to contain any desired privilege in the domain

Answer 29

krbtgt

PAC

Question 30

Kerberos 3 long-term keys

Answer 30

KDC (domain controller)

Client

Target (SPN)

Question 31

Kerberos is stateful or stateless?

Answer 31

Stateless

Question 32

In Kerberos, state is stored in ______

Answer 32

Tickets

Question 33

PAC is contained within the ____

Answer 33

TGT

Question 34

PAC is signed with what 2 keys

Answer 34

Target LT key

KDC LT key

Question 35

The _____ is the first ticket received by the client

Answer 35

TGT

Question 36

For TGT, the target is the _____ account

Answer 36

krbtgt

Question 37

To prevent entire TGT from being tampered with

Answer 37

It is encrypted with KDC long-term key

Question 38

In the TGS-REQ, the user wants to

Answer 38

Authenticate to a certain service

Question 39

In the TGS-REQ, the user sends the following to the KDC

Answer 39

An authenticator message (encrypted with the Client/TGS session key)

Encrypted TGT and a ticket request (referencing a certain SPN)

Question 40

The TGT contains a Client/TGS _____ ______ is used for __________________

Answer 40

session key

future communications between the client and the TGS

Question 41

TGT contains what data related to time

Answer 41

start time

End time

MaxRenew

Question 42

In Kerberos flow, authorization is the responsibility of the KDC or the target service?

Answer 42

Target service (SPN)

Question 43

ST

Answer 43

Service ticket

Question 44

ST has 2 parts:

Answer 44

Client portion

Server portion

Question 45

ST client portion:

Answer 45

Encrypted using Client/TGS session key (so it can be decrypted by the client)

Question 46

ST server portion

Answer 46

Encrypted using target LT key (password hash of target service)

Also includes PAC

Question 47

SPN is formatted as

Answer 47

serviceclass/host:port

Question 48

When is the port included in the SPN?

Answer 48

If the service runs on a nonstandard port

Question 49

Examples of service class in an SPN

Answer 49

HTTP, HOST, TERMSVR, MSSQLSvc

Question 50

The host in the SPN is typically the

Answer 50

FQDN

Question 51

Since the Service Ticket is encrypted, using the password hash of the target service, KDC needs to store a mapping of….

Answer 51

… the SPN to the underlying account so it can select the correct hash to use the encryption key

Question 52

What does this tool do?

setspn.exe

Answer 52

Create mappings of SPNs to underlying accounts

Get a list of SPNs

Question 53

SMTP/cliff.sec560.local > mailsvc

This is an example of:

Answer 53

KDC mapping of SPN to underlying account

Question 54

In Kerberos, to access a service, the user presents the ________ _________ to the target server

Answer 54

Service ticket

Question 55

The service ticket is encrypted using the ___________ _________ of the target service account

Answer 55

Password hash

Question 56

A client can request a ticket for a service, even if

Answer 56

• client would not have permissions to access the service
• the service is not accessible to the client due to fire wall rules, etc.
• the server could be off-line
• The server could be removed from the environment, as long as the SPN still exists

Question 57

Kerberoast attack

Answer 57

Request USER account tickets then crack them

(depends on a crackable password set by a user or admin)

Question 58

setspn -T * -Q /

Answer 58

Query SPNs command

Question 59

Multiple tools available to obtain tickets (Kerberoasting)

Answer 59

Impacket GetUserSPNs.py

Invoke-Kerberoast (PowerShell and Empire)

PowerShell (manual) plus mimikatz to extract from RAM

Question 60

Kerberoast attack steps (4)

Answer 60

1. Query AD for USER accounts with SPNs
2. Request RC4 (or AES) Service Tickets from the Domain Controller using these SPN values
3. Extract received Service Tickets and dump to file
4. Brute force offline to recover the credential (NT hash/password) that was used to encrypt the Service Ticket

Question 61

Most common KDC “etypes” (encryption types):

Answer 61

23 — RC4
17 — AES128
19 — AES256

Question 62

In Kerberoasting, focus on accounts that have:

Answer 62

Elevated domain privileges

Access to sensitive data

Question 63

Pass-the-Ticket

Answer 63

A stolen Kerberos ticket allows access as user on another system

Question 64

What is required for Pass-the-Ticket to be exploited?

Answer 64

Local admin access to a machine where victim user is logged in

Question 65

What is required for Pass-the-Ticket to be exploited?

Answer 65

Local admin access to a machine where victim user is logged in

Question 66

Tools for Pass-the-Ticket

Answer 66

Mimikatz can export all tickets to a file:
kerberos::list /export

Rubeus has similar functionality

Question 67

Pass the ticket attacks could involve both ____ and/or ______ ticket types

Answer 67

ST

TGT

Question 68

Overpass-the-Hash

Answer 68

Variant of Pass-the-Hash when NTLM is disabled

Uses stolen password hash to perform pre-authentication and get valid TGT for the user

Question 69

Golden Ticket

Answer 69

Use password hash of krbtgt account to forge TGT

(e.g., make ourselves domain admin with forged PAC and more permissions)

Question 70

5 ways to persist admin access to the AD:

Answer 70

Dump NTDS.dit (all creds)

Create domain admin account (w strong creds)

Create Kerberos golden ticket allowing long-term access

Create Skeleton Key, allows authN as any user in environment

DCSync attack

Question 71

Domain password hashes are in the __________ file

Answer 71

ntds.dit

Question 72

System key (used to encrypt ntds.dit) is stored in

Answer 72

HKLM\System

Registry hive

Question 73

How to access ntds.dit file (3 ways):

Answer 73

Use the Volume Shadow Copy service to create a read only copy and download the file

Use ntdsutil.exe and the “install for media” (IFM) capability

Poorly secured backups of the domain controller drives (e.g., open network shares)

Question 74

Commonly used tool to decrypt and extract hashes from NTDS.DIT

Answer 74

Impacket secretsdump.py

Question 75

A simple attack to achieve persistence in Active Directory

Answer 75

create a new domain admin user with a password that never expires

Question 76

2 attacks to never perform in production

Answer 76

Skeleton key

DC shadow

Question 77

Skeleton key only works for

Answer 77

Kerberos RC4 encryption

Question 78

Skeleton key attack runs in memory so is therefore not _________

Answer 78

Persistent

Question 79

Skeleton key runs on the _____ _________ in memory

Answer 79

domain controller

Question 80

Skeleton key attack allows anyone to authenticate as any user with password of

Answer 80

mimikatz

(default)

Question 81

DCSync attack uses _____ _______ protocol to mimic DC

Answer 81

Domain replication

Question 82

DCSync attack will ________ a DC and request ________ from a target DC

Answer 82

Impersonate

Replication

Question 83

DCSync requires

Answer 83

Domain admin

Replication privileges

Question 84

Example prerequisite attack for
DCSync attack

Answer 84

Golden Ticket to obtain domain admin

Question 85

dCShadow attack

Answer 85

Pushes updates to legitimate DC

Question 86

Prerequisite to DCShadow attack

Answer 86

Obtain Domain Admin rights

Question 87

A Golden Ticket is a forged _____ and is signed with _______ hash

Answer 87

TGT

krbtgt

Question 88

Golden Ticket is used for

Answer 88

Persistence

Question 89

Golden Ticket requires the

Answer 89

NT hash of the krbtgt account

Or the AES key of the krbtgt account

Question 90

Kerberos flow with Golden Ticket SKIPS …..

Answer 90

Logging on (AS-REQ / AS-REP)

Question 91

Golden Ticket forgery is possible once attacker has the _____ ______

Answer 91

krbtgt hash

Question 92

Golden Ticket is typically a TGT for

Answer 92

Admin account (RID 500 in the domain)

Domain Admin

Member of Domain Admins or other powerful group

Question 93

Golden Ticket tools

Answer 93

Impacket ticketer.py

Mimikatz - original tool for ticket creation

Rubeus

Question 94

To generate Golden Ticket you need 3 pieces of data:

Answer 94

krbtgt hash

Domain SID (S-1-5-21-xxx-yyy-zzz)

Full domain name