Index > Course > 2021-02-22: Windows Authentication; Kerberos

2021-02-22: Windows Authentication; Kerberos

Source summary peer-review is canceled, but now the “next module’s” discussion is more complicated to include some peer review thing.

Restricted Tokens

A primary or impersonation token can be restricted via CreateRestrictedToken. Processes using a restricted token are restricted.

Impersonation Tokens

A client makes a request to a service.

There are four levels of impersonation token:

• Anonymous
  • Doesn’t identify the client
• Identify
  • The service can get the client’s identity, but can’t act as them
• Impersonate
  • The service can act as the client
• Delegate
  • Prof. changed slides too fast

Special Service Accounts

Windows comes with some built-in accounts:

• NT AUTHORITY
  • LocalService
  • networkService
  • LocalSystem

Metasploit plugin: Incognito

When a user logs off, their delegate tokens look like impersonation tokens, but still have all their powers - tokens aren’t cleared until reboot.

File servers have people logging in and out all the time.

With a meterpreter session, you can harvest these tokens and act as these users. No creds or hashes needed.

Service DACLs

Services also have access control lists, which can be misconfigured.

Non-admins changing which binary the service runs is bad.

Auth Components

• Security Reference Monitor
• LSASS
• SAM
  • Security Account Manager

Comms between LSA and SRM

• Local Security Authority
• Security Reference Monitor

How do they communicate? There’s a communication port.

woah

Logon Process

The WinLogon Process presents the login screen. Creds go to the LSA, which returns an access token, which is used to create the new logged-in process.

More detail

1. User hits ctrl+alt+del
2. Winlogon.exe requests creds via CredUI.dll
3. CredUI.dll uses the Cred Provider Interface to get possible logins
4. CredUI.dll shows the Login UI
5. User enters creds to Login UI
6. CredUI.dll returns creds to WinLogon
7. WinLogon sends creds to LSA

LSA does a bunch of checks.

What about a domain-joined computer?

1. ctrl+alt+del
2. WinLogon / GINA gets cresd from user, hands to LSA
3. LSA hits up the domain controllers via Kerberberberososos
4. The domain controller checks AD, returns results
5. LSA returns an access token.

KERBEROS

Kerberos provides authentication over an untrusted network.

There is:

• A user, who wants access to:
• A server/service/resource.
• An Authentication Server
• A “Ticket Granting” Server (TGS)

The user asks the Authentication Server for a ticket-granting ticket. If the Auth server likes you, it returns a session key for the TGS and a ticket-granting-ticket (TGT).

The user asks the TGS for a ticket for the server/service/resource. The TGS returns a session key to use, and a ticket for the server/service/resource.

The user can use their new session key and ticket to talk to the server/service/resource, without ever passing logon creds to the server/service/resource.

---

Index > Course > 2021-02-22: Windows Authentication; Kerberos