Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Tal Be’ery, Sr. Security Research Mgr.Michael Cherny, Sr. Security Researcher
Watching the WatchdogProtecting Kerberos
Therefore, attackers must attack the Kerberosprotocol!
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
admin123
wrongpassword
P@$$w0rd1
https://twitter.com/gentilkiwi/status/556246876505509888
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
KDC
waza1234/
User1
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..
user1 cc36cf7a…
1a7ddc…
Doe
TGT
RC4-HMAC does not have any!
RC4-HMAC does not have any!https://commons.wikimedia.org/wiki/File:Jodsalz_mit_Fluor_und_Folsaeure.jpg
KDC
User1
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
aes128_hmac
aes256_hmac
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..
user1 cc36cf7… 1a7dd…
KDC
User1
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
aes128_hmac
aes256_hmac
user rc4_hmac_nt
aes256_hmac
Joe 21321…
ffe34d…
543df..
user1 cc36cf…
ffe34d…
1a7dd…
TGT
ff687678....
Skeleton
https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in TGT)
CHECKSUM_SRV – HMAC_SHA1 - krbtgt3f..
CHECKSUM_KDC – HMAC_MD5 - krbtgtB6..
https://commons.wikimedia.org/wiki/File:Identification_card_JAPAN.jpg
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
PAC
PAC
PAC
https://commons.wikimedia.org/wiki/File:MAC.svg
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in TGT)
CHECKSUM_SRV – HMAC_SHA1 - krbtgt3f..
CHECKSUM_KDC – HMAC_MD5 - krbtgtB6..
Krbtgtkey,
Ticket details
LSASS
(Kerberos)
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageAttacker
Server
TGT
Exploit
(Mimikatz)
AD
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in TGT)
CHECKSUM_SRV – HMAC_SHA1 - krbtgt3f..
CHECKSUM_KDC – HMAC_MD5 - krbtgtB6..
https://commons.wikimedia.org/wiki/File:Identification_card_JAPAN.jpg
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
PAC
PAC
PAC
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in Service Ticket)
CHECKSUM_SRV – HMAC_SHA1 – CIFS/Server2a..
CHECKSUM_KDC – HMAC_MD5 - krbtgt56..
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in TGT)
CHECKSUM_SRV – HMAC_SHA1 - krbtgt3f..
CHECKSUM_KDC – HMAC_MD5 - krbtgtB6..
https://commons.wikimedia.org/wiki/File:MAC.svg
KDC
KDC
TGT
TGS
③ TGS-REQ (server)
④ TGS-REP
⑤ Usage
Server
waza1234/
UserExploit
PAC
PAC
PAC
KDC
KDC
TGT
‘TGT’
③ TGS-REQ (KRBTGT)
④ TGS-REP
pUsage
Server
waza1234/
UserExploit
PAC
PAC
PAC
KDC
TGS
nTGS-REQ (Server)
oTGS-REPPAC
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in Service Ticket)
CHECKSUM_SRV – HMAC_SHA1 –CIFS/Server2a..
CHECKSUM_KDC – HMAC_MD5 - krbtgt56..
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in “TGT”)
CHECKSUM_SRV – MD5 – no key3f..
CHECKSUM_KDC – MD5 – no keyB6..
Diamond Photograph courtesy of the U.S. Geological Survey
KDC
KDC
TGT
‘TGT’
③ TGS-REQ (KRBTGT)
④ TGS-REP
pUsage
Server
waza1234/
UserExploit
PAC
PAC
KDC
TGS
nTGS-REQ (Server)
oTGS-REP
ExploitPAC
PAC
PAC
PAC
stealing
forge
https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics