Identity authentication in Windows, there are many, we are constantly upgraded, but in the field, still use the Kerberos authentication.
Kerberos is a network authentication protocol that is implemented 不依赖in the host operating system authentication, based on trust without host addresses, without requiring physical security of all hosts on the network, and assumes that the packet transmitted on the network can be arbitrarily read, modify and insert data, which means that it is entirely certification from a 不安全departure for authentication of the network environment, it is to have a third-party trust, the interaction between the host and one is different.
Kerberos The name comes from Greek mythology, the underworld is the name of the patron saint of animals
In fact, after seeing this picture, also will be able to understand Kerberos authentication is done by the three parties, they are client, server, KDC(Key Distribution Center).
Which KDCis constituted by the two services, AS(Authentication Service)andTGS(Ticket Granting Service)
AS is used to generate a TGT for the client, TGS is used to generate a client of a service Ticket, TGT (Ticket Granting Ticket) is used to obtain a temporary certificate Ticket, Ticket is used to access a service that must be used bill
只有Users can get TGT Ticket, in order to access the service on the server.
In Windows among the domain controller DC (Domain Controller) acts as a KDC's role is also important to note that, as it has a similar local SAM database AD (Account Database), which stores a list of all the client, only users exist in the client in order to apply to TGT.
From a physical perspective, AD and KDC domain controller are DC (Domain Controller).
** domain authentication process is such that approximately: **
** client Xianxiang DC request to get access to the server, and when the DC receiving the request, first by AS initiates a request to the AD, to see whether this client in the white list, after the success, by AS TGT will be returned to the client .
** Then client with TGT continues to launch DC request to get access to the server, and when the DC receiving the request, TGS TGT will pass judgment whether this client has permission to get the server service, and successful, it will return to the Ticket client.
** With Ticket then client to access the server requested the Ticket is only valid for the server, if you want to access other server, you need to re-apply.
Conjunction with the following picture, better analysis of the effect of the general process, the final article is useful in simple language to explain the process.
Next we go again complete data request process
Let me talk about the machine used in this experiment
DC 192.168.5.130
Client 192.168.5.238
计算机名:SECQUAN_WIN7-PC
域用户:win7
Server 192.168.5.239
计算机名:SECQUAN_WIN7
域用户:win71The following explanation of Kerberos packets through the network sharing service to crawl
First, let's look at the first step of the process
After the Client sends its identity information to the KDC, KDC validation is successful, it will generate a local 随机string session key, and then return to the two messages client.
** a user name provided by the client corresponding to the NTLM hash obtained after session key is encrypted, then why the KDC can use client user NTLM hash to encrypt it, stores all domain user account password in AD and other information, after transmitting through the client identity information, the aS AD will first request asking whether the user, if available, will take it out of the NTLM hash, then the generated session key to encrypt and return a data packet one content.
** The other is the KDC after a particular user NTLM hash of user information and client session key obtained by encrypting the transmitted, wherein the particular user is krbtgt (krbtgt is automatically generated when creating the domain controller, and a random password assigned to him by the system); the content of encrypted data is actually used in the later request TGT.
- Both the intermediate is used in the same session key.
Next, the detailed processing then again request a specific content of each transmitted
Time to look at the client sends identifying information, are transmitted what
He sent a KRB_AS_REQof a request that contains 被client加密a timestamp, as well as their names and other information, as well as time domain server information request
Let's look at the middle of his all packets
When the KDC verification is successful, a return to the client KRB_AS_REP's request, it contains the details of such
Then the corresponding bit from the packet
Up to this point, the first step in the process of Kerberos request is over, this time 已经获取到了所需要的TGT, the next step is to request a ticket by TGT.
** Another point to note here is that two returned content, the first client hash, client can be decrypted by its own NTLM hash, get one of the session key, but the client is not the KDC hash, which is not client krbtgt know the user's password, can not get the specific content of the TGT, we can use the previously obtained session key and TGS continue to communicate.
Next we look at the second step of the protocol process
First, he acquired before will get the transmission TGT, then there out front decrypted by its own NTLM hash session key, to encrypt client information and timestamp, as well as information on the client and server, client information is sent along these three to TGS.
Wait until TGS received information previously transmitted as part of KDC TGS itself, which is to have the user's NTLM hash krbtgt can be transmitted to decrypt the TGT, why did you TGT to decrypt it, because TGS本身是没有session key的, can not other information in the client performs an authentication encryption, and TGT中是存在session key的, TGS will be able to obtain the session key transmission by decrypting the TGT, they will eventually be used to decrypt the encrypted content through the client session key, to derive a time stamp timestamp, if the time stamp with too long, then the current time difference, it is necessary to re-authenticate again, the operation is repeated in the first step, to re-request the TGT ( 因为Kerberos在设计的时候,就假设是处于一个不安全的环境中的,是假设它中间存在中间人攻击的,所以依靠时间戳来限制).
But also to obtain information from the client, TGS will also client information and the client's TGT are compared, if the two are equal, then, we will continue to judge this client has no access to the server, if no problem, on authentication succeeds, the return ticket to the client.
At the time of transmission, which is contains two information
First, it will locally
再生成a随机character server session key, the session key before using the newly generated server session key obtained by encrypting the first string, server session key here is mainly used in the later authentication process in a client and server.The second element is the ticket, the KDC will first find the server through the information obtained previously in AD corresponding NTLM hash, then the NTLM hash to encrypt ticket, and finally returns to collectively client.
After given to the client, client has a session key, it can decrypt get server session key, but the service does not end server hash, so the ticket can not be decrypted.
Ticket contents contained in the following main
Let us look over all the packet flow
First, client sends a request krb-tgs-req's
When processed TGS, reply krb-tgs-rep data packet
Up to this point, KDC communications and over, followed by communicating with the server holding a ticket
Client server sends a request krb-ap-req, the first of which is a Ticket, because the client can not be decrypted. Then the second content is decrypted out of the server session key, decrypting out by the server session key encrypted client information and time stamp, and finally sent together to the server.
Server After receiving the packet, use 自己的hashthe ticket to decrypt and gain a server session key, and then the client information krb-ap-req of the time stamp and decrypt it, and then to compare the information with the client in the ticket, will be here timestamp is compared with the ticket in the end time, if more than this time, on behalf of the ticket has expired, you need to re-authenticate.
In fact, the entire Kerberos authentication process, structure and TGT ticket is the same, the only difference is that the TGT session key, ticket is server session key, session key by the AS to the client, server session key by TGS to the client.
Here are two interactive packets
In fact, the entire Kerberos authentication process that is continuous exchange of keys, symmetric encryption algorithm, decryption to verify the identity and time stamp, and finally achieve the certification of results.
Finally, use more mundane words to explain to you
For example, you're going to fly, first you go to buy tickets, the other side (AS) will certainly verify your identity (client info), after verification by, the ticket (TGT) to you, and then when boarding, ticket staff (TGS) will validate your ticket (TGT), and then tell you the position of the aircraft (ticket), then you can take the ticket to the appropriate location.
No public debut article: unintentional balderdash (wuxinmengyi)
This is a record red team learning, Principal notes, personal growth number of public
Concern to scan code
