Authentication in Windows

Windows Protocols

Protocol Specifications

• Microsoft specification of ALL the protocols (more than 600MB compressed): Windows, Office, SQLServer, SharePoint, Exchange.
• For Windows Protocols, the documentation is split up into:
  • Windows Technology Overviews (always start from here)
  • Windows Technical Specifications
  • References

Active Directory (AD)

• See LDAP and Active Directory in the Access Control section

Authentication Negotiation

Out of scope, just to have an idea.

• Introduction to GSSAPI (Oracle) Generic Security Support API. SSPI Windows Security Support Provider Interface is the Windows GSSAPI implementation.
• Offensive Windows IPC Internals 2: RPC Explain in detail how Remote Procedure Calls (RPC) works in Windows. An essential issue in many protocols, including negotiation of the authentication protocol (for downgrading to NTLM when MITM).
• Downgrade SPNEGO Authentication The Windows protocol that client and server use for negotiating authentication, including the reason why a "use Kerberos" offer can be downgraded to "let's use NTLM".

NTLM Protocol

• NT LAN Manager (NTLM) Authentication Protocol The original specification by Microsoft. Extremely complex. Too detailed to be useful (unless you are really an expert working on this very specific topic).
• LM, NTLM, Net-NTLMv2, oh my! Some order in the very confusing terminology of Windows hashes: NTLM hash, NT hash,...
• Live off the Land and Crack the NTLMSSP Protocol Detailed analysis of the network traffic

Kerberos Protocol

• Microsoft Kerberos All (i.e., too many) details.
• Kerberos tutorial Very clear and compact. More focussed on the non-Windows version.
• Kerberos v5 RFC All (i.e., too many) details.
• Privilege Attribute Certificate (PAC) Many complex details regarding the PAC contained in tickets.
• Abusing Kerberos Relatively old but still highly relevant for:
  • Salting in Windows Kerberos vs Standard Kerberos
  • Golden ticket and ticket validation

NTLM Attacks

• NTLM Authentication: A Wrap Up Excellent and concise summary, with detailed explanation of:
  • offline cracking
  • pass-the-hash
  • NTLM relay

Pass the Hash (PtH)

As a first approximation, the password hash of an account suffices to impersonate that account, even without knowing the password.

In practice, there are some tricky limitations regarding what can and what cannot be done with a password hash from a remote location. The Pass the Hash section of the above page summarizes those limitations very well. They are not easy to understand, but it is because they are really tricky; I have not found any clearer summary.

• Pass The Hash Excellent summary with lot of examples and screenshots based on many different tools. This specific website (Pentest Everything) is highly recommended because it has many parts structured according to MITRE ATT&CK.
• Alternative ways to Pass the Hash (PtH) This is a post on a Windows-focused blog. Very, very good.

NTLM Relay

There is a lot of existing material describing techniques and tools for executing NTLM Relay attacks. Such material may be hard to understand when the attack is used as part of a more complex chain, in particular, chains based on advanced Kerberos tricks and/or ACL paths in Active Directory. The links below are generally not based on such complex paths.

• SMB Relay This page deals with gaining code execution relaying NTLMv1/2 hashes in a very effective manner. Very basic.
• I’M BRINGING RELAYING BACK: A COMPREHENSIVE GUIDE ON RELAYING ANNO 2022
• Relaying Everything: Coercing Authentications Episode 1 – MSSQL
• Other relaying examples in the section of this website about Lateral movement.

NTLM Relay + Coerced authentication in Outlook

• Microsoft fixes Outlook zero-day used by Russian hackers since April 2022
• CVE-2023-23397
• Nice video describing how to obtain full domain compromise. It only takes a meeting invite and a user simply opening outlook to exploit this vulnerability. Some details not easy to understand; it requires a bit of knowledge of Active Directory Certificate Services.
• From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API Akamai realized that the patch issued by Microsoft was incorrect and a further patch was needed. Very well written. My summary and explanation of this mistake (Italian only).

Update 2024

• Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes Varonis Threat Labs discovered a new Outlook vulnerability and three new ways to access NTLM v2 hashed passwords by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer.

Kerberos attacks

Finding good targets

Techniques in the Discovery tactic.

• There’s Something About Service Accounts Discover (SPN scanning) Queries for discovering service accounts, accounts that are probably in the Domain Admin group. Description of groups that are often overprivileged and of SPN classes found in manhy environments.

Kerberoasting and AS-REP Roasting

• Kerberos Authentication: A Wrap Up Very clear and concise summary of Kerberos, along with a detailed explanation of Kerberoasting and AS-REP Roasting.
• Kerberoasting revisited. All you wanted to know about Kerberoasting (and AS-REP Roasting) by harmj0y, an authority on these topics.
• Decrypting the Selection of Supported Kerberos Encryption Types Decrypting Kerberos RC4 tickets (encryption types 0x17,0x18 dec 23,24) is much faster than decrypting default AES tickets (0x11,0x12 dec 17,18). This is why in roasting attacks RC4 tickets are requested rather than AES tickets.
• Impacket-GetNPUsers (script GetNPUsers of the Impacket framework) takes a list of usernames, selects those that can be attacked with AS-Rep-Roast and obtain the corresponding domain controller response in a format suitable to John the ripper or Hashcat.

Detecting Kerberoasting

• Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot This post describes how to filter from millions of events (that could be logged at the Domain Controller) to a single one to detect Kerberoasting activity.

Many more Kerberos-based attacks in the section of this website about Lateral movement.

Where does a service account store its password?

There is no user typing that password. The technical details are complex, but the basic idea is not.

• At boostrap, a high privilege process (SYSTEM or root) creates server processes and associates them with the appropriate service account based on configuration information. The password of the service password is not needed at this point. Such a password is needed when the service account S asks a TGT(S) in Kerberos, i.e., for authenticating to the KDC.
• Service passwords are stored in a file that can only be read by a high privilege process (and by the service account itself). This file is usually encrypted.
• The key for decrypting this file is (derived from) a master key for the entire computer. In Windows this master key is called SYSKEY and it is the one that, in Kerberos, authenticates the computer account to the KDC. The master key is stored in a file that can only be read by a high privilege process.
• An attacker with physical access to the disk will be able to extract the master key for the entire computer.

Some technical details are given below, but extracting the basic idea from them is hard.

• The Keytab File Where service keys are stored in MIT Kerberos.
• Windows Authentication and Attacks 101 — Part B A description of how to decrypt password hashes from the SAM (SYSKEY is needed).
• Windows LSA secrets LSA secrets is a special protected storage for important data used by the Local Security Authority (LSA) in Windows. LSA is designed for managing a system's local security policy, auditing, authenticating, logging users on to the system, storing private data. Users' and system's sensitive data is stored in secrets. Access to all secret data is available to system only.
• WINDOWS SECRETS EXTRACTION: A SUMMARY Post-exploitation in Windows environments often implies secrets collection. The collected secrets can be reused for lateral or vertical movement, making them high value assets. Most people already know the LSASS process, but other secrets such as LSA secrets and DPAPI ones could also allow privilege escalation or access to sensitive resources. This article will describe the different types of secrets that can be found within a Windows machine, and public tools that can be used to retrieve them.