Kerberos Ticket-Based Attacks Explained: A Friendly Guide
- Jan 27, 2024
- 3 min read
Updated: Feb 13
Kerberos is the authentication protocol used in Windows environments, providing secure logins through a system of tickets. But did you know attackers can manipulate these tickets to gain unauthorized access?
-----------------------------------------------------------------------------------------------------------
1. Pass the Ticket Attack: Hijacking Access
Kerberos authentication relies on tickets stored in memory. Attackers with access to a machine can extract these tickets using tools like Mimikatz and reuse them on another system to impersonate a legitimate user. Since these tickets remain valid for several hours, attackers get ample time to exploit the access.
How to Defend Against It:
✅ Enable Credential Guard to protect tickets in memory.
✅ Use Remote Credential Guard for secure remote access.
-----------------------------------------------------------------------------------------------------------
2. Overpass the Hash Attack: NTLM Meets Kerberos
This is a variation of the pass-the-hash attack but with Kerberos. Instead of using stolen passwords, attackers use NTLM password hashes to request Kerberos service tickets, allowing them to authenticate without needing the actual password.
How to Defend Against It:
✅ Add high-privileged users to the Protected Users Group to block NTLM authentication.
✅ Disable RC4 encryption and enforce stronger AES encryption.
-----------------------------------------------------------------------------------------------------------
3. Kerberoasting Attack: Cracking Service Account Passwords
Service accounts run critical applications, and they authenticate using Kerberos service tickets. Attackers can request these tickets, extract the encrypted password hash, and crack it offline to gain access to the service account.
How to Defend Against It:
✅ Use long and complex passwords for service accounts.
✅ Implement Managed Service Accounts (MSAs), which change passwords automatically.
-----------------------------------------------------------------------------------------------------------
4. Golden Ticket Attack: The Master Key to a Domain
Golden Tickets are forged Ticket Granting Tickets (TGTs) that allow attackers to authenticate as any user on a domain indefinitely. This attack requires access to the KRBTGT account hash, which signs all Kerberos tickets.
How to Defend Against It:
✅ Regularly reset the KRBTGT account password to invalidate unauthorized tickets.
✅ Limit domain admin privileges and monitor privileged accounts closely.
-----------------------------------------------------------------------------------------------------------
5. Silver Ticket Attack: Forging Access to Services
Unlike Golden Tickets, Silver Tickets target specific services (e.g., file shares, databases) instead of the entire domain. Attackers forge a service ticket using a stolen computer account hash, gaining persistent access to that service.
How to Defend Against It:
✅ Change computer account passwords regularly.
✅ Minimize service account privileges to limit the impact of a breach.
-----------------------------------------------------------------------------------------------------------
6. Skeleton Key Attack: The Universal Backdoor
A Skeleton Key attack injects a malicious backdoor password into the authentication process on a domain controller. Attackers can then use this password to log in as any user, completely bypassing normal authentication.
How to Defend Against It:
✅ Use smart card authentication for critical accounts.
✅ Restrict domain controller access to prevent unauthorized modifications.
-----------------------------------------------------------------------------------------------------------
7. DCSync Attack: Stealing All Password Hashes
DCSync allows attackers to impersonate a domain controller and request password hashes for any user, including the KRBTGT account. This enables full domain compromise.
How to Defend Against It:
✅ Restrict replication rights to only necessary accounts.
✅ Monitor accounts with replication permissions for suspicious activity.
-----------------------------------------------------------------------------------------------------------
Summary: How to Stay Safe
Attack Type | How It Works | Defense Strategies |
Pass the Ticket | Steals and reuses Kerberos tickets | Credential Guard, Remote Credential Guard |
Overpass the Hash | Uses NTLM hash to request Kerberos tickets | Protected Users Group, Disable RC4 |
Kerberoasting | Requests and cracks service account hashes | Long passwords, Managed Service Accounts |
Golden Ticket | Creates a forged TGT for unlimited access | Reset KRBTGT password, Limit domain admin privileges |
Silver Ticket | Creates a forged service ticket for lateral movement | Change computer passwords, Limit service privileges |
Skeleton Key | Injects a universal backdoor password | Smart card authentication, Restrict DC access |
DCSync | Extracts all password hashes via replication | Limit replication rights, Monitor privileged accounts |
-----------------------------------------------------------------------------------------------------------
By understanding these attacks and applying the right defenses, organizations can strengthen their Kerberos security and prevent unauthorized access.
Stay vigilant, monitor logs for anomalies, and proactively secure your network!
-------------------------------------------Dean----------------------------------------------
Comments