Kerberos Protocol Explained

This blog post is intended to supplement the Kerberos explanation video that just went live on my Youtube channel:

As such, I’m not going to explain everything in detail here. This post is intended as a quick reference for all of the diagrams I made for that video. Hopefully they can be useful on their own even if you don’t watch the video, but of course I’d encourage you to watch it to get a full explanation of everything here.

So let’s start off with the simple high level summary of the Kerberos authentication process:

Step 1 and 2 in the diagram above happen once, when the user logs on to their PC. Steps 3 and 4 happen the first time they try to authenticate with the network service (SQL Server in this example). The service ticket they receive in step 4 will get cached, so then step 5 happens every time they access the service and uses that cached ticket (until they log off or until the service ticket expires and then they need to repeat step 3 and 4 again).

Now for a slightly more in depth look at that same process:

To understand how this really works, we need to look at the network messages that get sent for each of those steps.

First of all we have the AS-REQ and AS-REP which cover step 1 and 2 in the previous diagrams:

Then for step 3 and 4 we have the TGS-REQ and TGS-REP messages:

Then finally the AP-REQ message for step 5. Note that this message won’t usually be easy to see in network captures because it will be sent over whatever protocol the client communicates with the network service with (e.g HTTPS, SQL’s network protocol, or some proprietary protocol created just for this service):

Of course there’s more to some of these structures, but I’ve picked out the interesting parts and tried to keep things as simple as possible whilst still being accurate.

Towards the end of the video mentioned at the start of this post, you’ll see how each of these diagrams relate to a real world Wireshark network capture of this whole process happening. So yeah, go watch that 🙂

Port Forwarding Explained (with PT.exe Download)

I recently uploaded a video explaining port forwarding, or port tunnelling as I like to call it. This is a technique that allows you to remotely connect to TCP ports that would not normally allow inbound remote connections (either due to firewall or the way the listener is configured).

EDIT: A few people have asked for my PT.exe program, so here’s a download link (needs more testing and optimising really, so maybe treat this as a BETA version) : https://www.dropbox.com/s/64aebproalc3f0t/PT.zip?dl=1

You can see how to use it, and how it works, in the video below

DC Sync Attacks Explained (Video)

Just uploaded a new video taking an in depth look at how a DC Sync attack works and making use of another Impacket script called secretsdump.py: