Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Kerberos Weaknesses: Pass the Ticket Is a Real Threat

August is always a good time to check up on the dark side.  Black Hat had its annual conference earlier this month, and there are always presentations worth looking at....
Michael Buckbee
2 min read
Published August 27, 2014
Last updated October 21, 2021

August is always a good time to check up on the dark side.  Black Hat had its annual conference earlier this month, and there are always presentations worth looking at. I’ve been writing about Kerberos recently, and while it’s a big improvement over Microsoft’s NLTM, nothing is ever perfect. I came across a presentation that looks more closely at the weaker points of Kerberos.

Let me point out that researchers have seen attacks launched against Kerberos, but not nearly as frequently as ones targeted at the more widely deployed NTLM. The hackcraft for Kerberos is newer, and in fact one of the more ominous attack possibilities has only recently been addressed—I’ll get to that later.

Hate computers professionally? Try Cards Against IT.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

The tough three-headed doggie has a few fleas.

The one I know about involves passively listening on the wire, scooping up packets involved in the last part of the Kerberos exchange. Remember that? The client already has the final ride ticket — the Server Ticket — and the server session key. So when the request to the actual service is made, the client just has to encrypt some identifier information with the server session key and then add the Server Ticket.

If hackers could resend that last exchange—yeah, this is a replay attack—then in theory they could access the service. But Kerberos time stamps everything, so the attacker would have to work quickly. And since IP sources address can be part of the identifier information that’s encrypted, the hackers should in theory be stopped in their tracks.

Is there another way to break Kerberos?

Metadata Era blog readers know that our fundamental philosophy is that the hacker will get in. Or to put it another way, cryptography ain’t that healthy. The underlying issue, of course, is that hackers are more adept at getting through the front door and looking at formerly hidden parts of the crypto-machinery.

With that in mind, the Black Hat presentation shows a PtH-style attack for Kerberos, using, what else, but tickets—i.e., PtT.  The slides tell us that in Windows environments the TGT and session ID  are kept in memory, and in fact the same part of memory that the NTLM hashes are stored— Local Security Authority Subsystem or LSASS.  Who would have thunk it?

Security pen testers have already figured out where in LSASS the Kerberos tickets reside, and they now  have the tools to pull these out— one of the presenters, Benjamin Delpy, did the heavy lifting here.

What does all this mean? A lot of the advice we gave about PtH would seem to apply to Kerberos as well— overall, you want to reduce the chances of higher-privilege tickets from being scooped up. In Kerberos’s favor, though, is the setting of the expiration period for the TGT—in Windows, it defaults to a lifetime of 10 hours.  So the attackers would have to work somewhat speedily.

But what if the ticket had an incredibly long lifetime—perhaps measured in years—and had broad authorizations? That scary idea—known as “The Golden Ticket”—is taken up in another part of the presentation.

And I’ll talk about that in my next post.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

social-engineering-remains-a-top-cybersecurity-concern
Social Engineering Remains a Top Cybersecurity Concern
In 2016, the top cyberthreat for IT pros, at least according to ISACA’s Cybersecurity Snapshot, is social engineering.  It has always been a classic exploit amongst the hackerati. But in...
why-a-honeypot-is-not-a-comprehensive-security-solution
Why A Honeypot Is Not A Comprehensive Security Solution
A core security principle and perhaps one of the most important lessons you’ll learn as a security pro is AHAT, “always have an audit trail”. Why? If you’re ever faced...
why-a-honeypot-is-not-a-comprehensive-security-solution
Why A Honeypot Is Not A Comprehensive Security Solution
A core security principle and perhaps one of the most important lessons you’ll learn as a security pro is AHAT, “always have an audit trail”. Why? If you’re ever faced...
the-essential-guide-to-identifying-your-organization’s-most-sensitive-content
The Essential Guide to Identifying Your Organization’s Most Sensitive Content
What do hackers want? If you answered money — always a safe bet — then you’d be right. According to the Verizon Data Breach Investigations Report (DBIR), financial gain still is...