L A B S R E S EA R C H
KERBEROS DECRYPTION
Abstract
In most organizations, it is common to find anti-virus installed in order to prevent virus and malicious software from running and
IDS\IPS\Firewall installed in order to identify attacks and exploits while Kerberos and encapsulated sub protocols within are
being neglected. The reason sub-protocols receive no attention is because the data is inaccessible. In this paper we will unveil
the potential risk hiding in hidden parts of Kerberos using decryption to bridge the gap between attackers and the defenders,
providing a real view into active attacks that leverage Kerberos as a means to conceal malicious activity and lateral movement.
Author: Ido Hoorvitch
www.cyberark.com
� CYBER ARK L ABS RESEARCH
Table of Contents
Figures..............................................................................................................................................................................2
Introduction.....................................................................................................................................................................3
What can be discovered with Kerberos Decryption.................................................................................4
Kerberos Decryption..................................................................................................................................................... 6
NetRay............................................................................................................................................................................. 8
Summary ........................................................................................................................................................................ 9
Acknowledgments ........................................................................................................................................................ 9
Figures
Figure 1 Kerberos Authentication Flow.................................................................................................................4
Figure 2 AD GUI showing membership for user...................................................................................................5
Figure 3 User membership showing Golden Ticket.............................................................................................5
Figure 4 User membership using PowerShell.......................................................................................................5
Figure 5 Keytab content........................................................................................................................................... 6
Figure 6 Silver Ticket Attack over the wire...........................................................................................................7
Figure 7 Signature verification process................................................................................................................. 8
www.cyberark.com Page 2 of 9
� CYBER ARK L ABS RESEARCH
Introduction
Kerberos is a computer network authentication protocol that was developed by MIT. It works on the basis of tickets to allow nodes
communicating over a non-secure network, to prove their identity to one another in a secure manner. In so doing, Kerberos protocol messages
are protected against eavesdropping and replay attacks. But this very capability can be handed to attackers on a silver platter to use for their
own nefarious means. To close the gap created by attackers that leverage Kerberos protocol to hide their malicious activities, we will walk thru a
decryption approach of Kerberos that enables defenders to detect these activities.
The focus of this paper is Microsoft’s Kerberos implementation which has been in use since Windows 2000 as the preferred authentication
protocol for networked computers running Windows. For the Windows implementation, the Kerberos protocol uses tickets which are encrypted
with secret keys (derived from the account’s password). Each key is shared only between the user and the KDC (Key Distribution Center).
The KDC is a network service that runs as part of ActiveDirectory (AD) and is responsible for managing Kerberos authentication process
and communications by issuing tickets and session keys. It is the only entity which holds all the secret keys in the network. The Kerberos
authentication mechanism is based on this fact. The keys are stored locally at the KDC in the ntds.dit DB file.
The Kerberos authentication process is commonly divided to 3 stages: Authentication Service (AS), Ticket Granting Service (TGS) and
Authentication Protocol (AP) and is depicted in Figure 1.
1. The AS exchange takes place between a user and the AS portion of the KDC. Its purpose is to authenticate a user to the KDC. If the user
authenticates successfully, the KDC provides a session key and a Ticket Granting Ticket (TGT), which is encrypted with the KRBTGT key
known only to the KDC itself. The user provides the TGT back to the KDC as a proof of prior authentication each time the user wants
access to a service in the network, while the session key is used to encrypt the follow up communications between the user and the KDC.
2. The TGS exchange takes place between a user and the TGS portion of the KDC. Its purpose is to supply the user with a service ticket to a
specific service. In this stage, the user sends the TGT from the previous stage to the TGS which verifies it. If the verification is successful,
the user receives a Service Ticket that is encrypted with the specific service key (which is known to the KDC and the requested service) and
a session key. The key will then be used to encrypt the communications between the user and the desired service.
3. The AP exchange takes place between the user and the desired service. Its purpose is to authorize the user at the service door. The user
provides the service ticket from the previous stage to the service. The service verifies the ticket by its content and then decides if the user
has permissions for the desired resource. If mutual authentication was required by the user, the service will send back a response that is
encrypted with the session key from the service ticket.
www.cyberark.com Page 3 of 9
� CYBER ARK L ABS RESEARCH
Figure 1. Kerberos Authentication Flow
There are a variety of known attacks based on the Kerberos protocol as described above, involving keys stealing by an attacker:
• If an attacker compromises a key of a user, they can execute an Overpass-The-Hash attack in which an attacker can impersonate the
user to any service at the network. In this attack, the attacker uses the user’s key to obtain a TGT on behalf of the user and then request a
service ticket for any available service.
• If an attacker steals a key of a service, they can execute a Silver Ticket attack in which an attacker can impersonate any user (including non-
existent users) with any permissions they would like, in front of the compromised service. In this attack, the attacker skips the AS and TGS
stages and sends the forged service ticket directly to the compromised service.
• If an attacker was able to steal a key of the KRBTGT account, they can execute a Golden Ticket attack in which an attacker can
impersonate any user (also non-existent users) with any permissions they would like in front of any service. Using this, the attacker skips the
Authentication Service exchange stage and sends a self-crafted TGT to the TGS.
What can be discovered with Kerberos Decryption
With this short introduction to what is Kerberos, how it works and the known attacks against it, we will focus our attention to describe what we
can get from Kerberos decryption. Decrypting Kerberos communication with the relevant keys allows:
• Detecting attacks on Kerberos sub protocols. Once the Kerberos protocol is decrypted, the sub protocols are visible and threat detection
processes can take place. This is in contrast to before, when the communications and the data being transferred were hidden and therefore
bypassed security sensors.
• Detecting Attacks over the Kerberos protocol by searching for non-legit patterns, data anomaly and forged tickets.
www.cyberark.com Page 4 of 9
� CYBER ARK L ABS RESEARCH
To help illustrate the above benefits, lets review a Golden Ticket detection using decryption. After decryption, the information of the user
inside the ticket is visible. In the following example, the user information from the ticket does not match the details in AD, hence exposing an
indicator of a Golden Ticket attack:
• In the pictures on the left (Figures 2 and 4) there is information from the AD. The user is a member of Domain Users group (RID 513) only.
• In the picture on the right (Figure 3) is the user information from the Golden Ticket. While the user is only a member of one group at the
AD, the user is listed as member of many groups (some of them are very powerful groups such as Domain Admins with RID 512) in the
ticket, allowing the attacker access to many more resources.
Performing Kerberos decryption empowers defenders allowing them to detect attacks and to gain a better visibility and more control over their network.
Figure 2. AD GUI showing membership for user Figure 3. User membership showing Golden Ticket
Figure 4. User membership using PowerShell
www.cyberark.com Page 5 of 9
� CYBER ARK L ABS RESEARCH
Kerberos Decryption
One of the major strengths of Kerberos decryption is the fact that it is agentless and is done solely by capturing network communications,
providing data which could otherwise only be collected from each server across the network.
In order to decrypt Kerberos communications the following elements are required:
1. Keytab - A file containing keys.
• The keytab should contain user and service keys in the same format (DES, AES256, AWS128, RC4 or others) used to encrypt the traffic.
• There are different tools to create and edit a key tab. In the example below, a Heimdal version of Ktutil is used in order to show the content
of a keytab file.
Figure 5. Keytab content
2. Kerberos decryption tool – In the following example Wireshark will be used.
a. Wireshark is able to decrypt Kerberos traffic when given a keytab file with relevant keys.
3. �C apturing traffic at a specific location – The location depends on what we are trying to detect and the detection algorithm used. The
following is a list of possible capturing locations:
a. In order to detect a Golden Ticket attack, traffic should be captured between a client and a DC.
b. In order to detect a Silver Ticket attack, traffic should be captured (at least) between a client and a service.
www.cyberark.com Page 6 of 9
� CYBER ARK L ABS RESEARCH
The following demonstrates a detection of a Silver Ticket execution by identification of an invalid signature:
During a Silver Ticket attack, an attacker steals a service key and skips right to the AP-REQ stage, sending a forged service ticket
with modified PAC data structure (that contains the user authorization information like AD group membership).
The PAC contains two signatures that allow the service to validate the integrity of the PAC. The first signature is the service
signature, which is a checksum of the PAC encrypted with the service key (this checksum can be altered by an attacker with access
to the service key, as in the Silver Ticket case). The second signature is the Privsvr signature, which is a checksum of the service
signature encrypted with the KRBTGT key. This signature cannot be altered by an attacker with no access to the KRBTGT key.
Following is an example of a decrypted packet which executes a Silver Ticket attack:
Encrypted with the service key
The PAC
Part which contains the groups that a user is part of
Service signature - PAC
Checksum encrypted with
the service key
Privsvr signature -
Checksum of the service
signature encrypted with
KRBTGT key
Figure 6. Silver Ticket Attack over the wire
www.cyberark.com Page 7 of 9
� CYBER ARK L ABS RESEARCH
The attack can be detected by verifying the Privsvr signature. The verification is performed by calculating the checksum of the service signature
and then encrypting it with the KRBTGT key. By comparing the result with the signature at the packet, a forged ticket with a modified PAC can
be detected.
The following example, as demonstrated in Figure 7, utilizes Impacket to verify the Privsvr signature with the KRBTGT key (key and signature
match the ones in Figure 5 and 6).
Keyes and signatures were taken from the previous packet and keytab (Figures 5 and 6).
Figure 7. Signature verification process
In the case that the verification has failed, the service will not know it is under attack and there will be no prior warnings, due to the fact that the
service signature remains valid. Without using decryption, the PAC would not be visible and the attack could not be detected.
NetRay
In order to demonstrate the importance and strength of Kerberos decryption, we developed a modular tool that takes a keytab and a parsed
decrypted pcap file in a json format and detects attacks that are leveraging the Kerberos protocol. The tool is provided with a Silver Ticket attack
detection module and can be expanded very easily.
https://github.com/cyberark/NetRay
www.cyberark.com Page 8 of 9
� CYBER ARK L ABS RESEARCH
Summary
We reviewed the importance of Kerberos in domain networks and the great strength an attacker can gain by using it to hide their malicious
activity. Decrypting Kerberos can bridge the gap between the attacking side and the defensive side by detecting attempts of gaining persistence,
move laterally and escalate privilege. Ultimately, Kerberos decryption helps one to understand what is really happening on the network.
We encourage you to use the NetRay tool and to expand it to suit your needs. Finally we look forward to any feedback on this paper and tool as
well as have you share your experiences as you explore your Kerberos encrypted network traffic.
Acknowledgments
A big thanks to Itzik Majar for co-researching Kerberos protocol internals.
©Copyright 1999-2018 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of
CyberArk Software. CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and
other jurisdictions. Any other trade and service names are the property of their respective owners. U.S., 02.18. 217134777
CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject
to change without notice.
THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED,
INCLUDING WARRANTY OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE. IN NO EVENT SHALL CYBERARK
BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR
INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA
ARISING FROM USE OF OR IN RELIANCE ON THIS PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
www.cyberark.com Page 9 of 9
