Common Terminologies to keep in mind while attacking Kerberos

Kerberos is the default authentication service for Microsoft Windows domains.

It is intended to be more “secure” than NTLM by using third party ticket authorization as well as stronger encryption.

Even though NTLM has a lot more attack vectors to choose from Kerberos still has a handful of underlying vulnerabilities just like NTLM that we can use to our advantage.

So in case, you are going to attack Kerberos then you must know the common terminologies.

Kerberos authentication overview

A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.

The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.

The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.

The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.

A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.

The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.

The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.

The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.

Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.

The PAC holds all of the user’s relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.

That’s it. I am open to ideas if you have any recommendations. For more on Kerberos check wikipedia.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rahul Bhichher

Cyber Security Engineer at Quantiphi, AWS Community Builder, Volunteer at HIH Community