๐ Secure Bits ๐ก
Do you use ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ ๐๐ฟ๐บ๐ผ๐ฟ๐ถ๐ป๐ด in your environment?
If youโve followed my ๐ฝ๐ฟ๐ฒ๐๐ถ๐ผ๐๐ ๐ฝ๐ผ๐๐๐ on Kerberos internals, Kerberoasting, and Authentication Policies & Silos โ this oneโs for you.
Letโs talk about Kerberos Armoring, technically known as FAST (Flexible Authentication Secure Tunneling) โ an ๐๐ป๐ฑ๐ฒ๐ฟ๐๐๐ฒ๐ฑ ๐ฏ๐๐ ๐ฝ๐ผ๐๐ฒ๐ฟ๐ณ๐๐น ๐น๐ฎ๐๐ฒ๐ฟ of protection.
๐ฅ ๐ช๐ต๐ ๐ถ๐ ๐บ๐ฎ๐๐๐ฒ๐ฟ๐:
During the initial Kerberos authentication (AS-REQ), a client sends:
๐น Client Name (username)
๐น Service Name (usually krbtgt)
๐น Encrypted timestamp (using a key derived from the userโs password)
An attacker who captures this traffic can ๐ฏ๐ฟ๐๐๐ฒ-๐ณ๐ผ๐ฟ๐ฐ๐ฒ the encrypted timestamp offline to recover the ๐๐๐ฒ๐ฟโ๐ ๐๐ฒ๐ฐ๐ฟ๐ฒ๐ ๐ธ๐ฒ๐ (potentially NT hash) โ enabling impersonation or password recovery.
๐ก๏ธ ๐ช๐ต๐ฎ๐ ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ ๐๐ฟ๐บ๐ผ๐ฟ๐ถ๐ป๐ด ๐ฑ๐ผ๐ฒ๐:
Kerberos Armoring protects these sensitive exchanges by encapsulating them in a secure tunnel, established using the computerโs own TGT session key.
โก๏ธ This blocks offline brute-force attacks by encrypting the entire pre-auth request with strong key.
โก๏ธ Without the session key โ attackers get nothing usable.
โ๏ธ ๐๐ผ๐ ๐๐ผ ๐ฒ๐ป๐ฎ๐ฏ๐น๐ฒ ๐ถ๐:
โ
On clients (GPO):
Kerberos client support for claims, compound authentication, and Kerberos armoring
โ
On domain controllers (GPO):
KDC support for claims, compound authentication, and Kerberos armoring
๐ง If you want to enforce it (๐ณ๐ฎ๐ถ๐น ๐ถ๐ณ ๐ป๐ผ๐ ๐ฎ๐๐ฎ๐ถ๐น๐ฎ๐ฏ๐น๐ฒ), you can set:
Fail authentication requests when Kerberos armoring is not available
๐ฌ ๐๐ฟ๐ฒ ๐๐ผ๐ ๐ฒ๐ป๐ณ๐ผ๐ฟ๐ฐ๐ถ๐ป๐ด ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ ๐๐ฟ๐บ๐ผ๐ฟ๐ถ๐ป๐ด, or is your domain still vulnerable to offline password attacks?
