🌭Kerberos "Double Hop" Problem
There's an issue known as the "Double Hop" problem that arises when an attacker attempts to use Kerberos authentication across two (or more) hops. The issue concerns how Kerberos tickets are granted for specific resources. Kerberos tickets should not be viewed as passwords. They are signed pieces of data from the KDC that state what resources an account can access. When we perform Kerberos authentication, we get a "ticket" that permits us to access the requested resource (i.e., a single machine). On the contrary, when we use a password to authenticate, that NTLM hash is stored in our session and can be used elsewhere without issue.
The crux of the issue is that when using WinRM to authenticate over two or more connections, the user's password is never cached as part of their login. If we use Mimikatz to look at the session, we'll see that all credentials are blank. As stated previously, when we use Kerberos to establish a remote session, we are not using a password for authentication. When password authentication is used, with PSExec, for example, that NTLM hash is stored in the session, so when we go to access another resource, the machine can pull the hash from memory and authenticate us.
If we authenticate to the remote host via WinRM and then run Mimikatz, we don't see credentials for the backupadm
user in memory.
(we don't see him in the dump) but there are processes running in the context of the backupadm
user, such as wsmprovhost.exe
When we connect to DEV01
using a tool such as evil-winrm
, we connect with network authentication, so our credentials are not stored in memory and, therefore, will not be present on the system to authenticate to other resources on behalf of our user. When we load a tool such as PowerView
and attempt to query Active Directory, Kerberos has no way of telling the DC that our user can access resources in the domain. This happens because the user's Kerberos TGT (Ticket Granting Ticket) ticket is not sent to the remote session; therefore, the user has no way to prove their identity, and commands will no longer be run in this user's context. In other words, when authenticating to the target host, the user's ticket-granting service (TGS) ticket is sent to the remote service, which allows command execution, but the user's TGT ticket is not sent. When the user attempts to access subsequent resources in the domain, their TGT will not be present in the request, so the remote service will have no way to prove that the authentication attempt is valid, and we will be denied access to the remote service.
We can look at this post to look for workaround the double hop issue
Workaround #1: PSCredential Object
We can also connect to the remote host via host A and set up a PSCredential object to pass our credentials again. we import PowerView and then try to run a command.
We can start by checking for cached kerberos tickets with klist command ->
So now, let's set up a PSCredential object and try again.
Now we can try to query the SPN accounts using PowerView and are successful because we passed our credentials along with the command.
but if we remove the -credential
flag we will get an error. If we RDP to the same host, open a CMD prompt, and type klist
, we'll see that we have the necessary tickets cached to interact directly with the Domain Controller, and we don't need to worry about the double hop problem. This is because our password is stored in memory, so it can be sent along with every request we make.
Workaround #2: Register PSSession Configuration
If we can't use evil-winrm like if we're on a domain-joined host and can connect remotely to another using WinRM? Or we are working from a Windows attack host and connect to our target via WinRM using the Enter-PSSession cmdlet
We can start by first establishing a WinRM session on the remote host
If we check cached creds using klist we have the double hop problem, we can only interact with resources in our current session but cannot access the DC directly using PowerView.
And we won't be able to interract with DC using PowerView
To work arounf this problem we can try registering a new session configuration using the Register-PSSessionConfiguration cmdlet.
Once this is done, we need to restart the WinRM service by typing Restart-Service WinRM
in our current PSSession.
After we start the session, we can see that the double hop problem has been eliminated, and if we type klist
, we'll have the cached tickets necessary to reach the Domain Controller. This works because our local machine will now impersonate the remote machine in the context of the backupadm
user and all requests from our local machine will be sent directly to the Domain Controller.
We can now run tools such as PowerView without having to create a new PSCredential object.
Last updated