Fix Kerberos “Double Hop” in Active Directory

Introduction

Imagine trying to pass a message through a chain of people, only to discover that the critical piece of information, i.e. your identity, gets lost along the way. This is essentially the challenge posed by the Kerberos “Double Hop” problem. In today’s interconnected world, where lateral movement across systems is often essential for both legitimate operations and cybersecurity assessments, understanding and solving this issue is more critical than ever.

The Kerberos “Double Hop” problem isn’t just a technical hiccup, but it’s a limitation rooted in how authentication works in distributed systems. By delving into its mechanics and exploring practical workarounds, we can demystify this challenge and empower you to navigate complex Active Directory (AD) environments with confidence.

What Is the Kerberos “Double Hop” Problem?

At its core, the “Double Hop” problem arises when Kerberos authentication fails to pass user credentials across multiple connections or “hops.” This typically happens when using Windows Remote Management (WinRM) or PowerShell remoting. Unlike NTLM-based authentication, which stores hashed credentials in memory for reuse, Kerberos relies on tickets issued by a Key Distribution Centre (KDC). These tickets are specific to the resource being accessed and are not forwarded to subsequent systems by default.

For example:

  • Hop 1: A user authenticates from their workstation to a remote server (e.g., DEV01) using Kerberos.
  • Hop 2: The same user attempts to access another resource (e.g., DC01) from DEV01. Here, the Kerberos ticket from the first hop doesn’t carry over, leading to an authentication failure.

This limitation can impede tasks like domain enumeration or accessing shared resources, making it a significant roadblock in both administrative operations and penetration testing.

Understanding the Mechanics

How Kerberos Authentication Works

Kerberos uses two types of tickets:

  1. Ticket Granting Ticket (TGT): Proves the user’s identity to the KDC.
  2. Ticket Granting Service (TGS): Grants access to specific resources.

In a single-hop scenario, the TGS is sufficient for accessing a resource. However, in multi-hop scenarios, the absence of the TGT prevents further ticket issuance, leading to authentication failures.

Why NTLM Doesn’t Have This Problem

NTLM stores hashed credentials in memory during a session. These hashes can be reused for subsequent authentications, enabling seamless multi-hop access. However, this approach is less secure than Kerberos, as cached credentials are more susceptible to attacks like pass-the-hash.

Why It Matters

The implications of the “Double Hop” problem extend beyond mere inconvenience:

  • For IT Administrators: It complicates tasks like managing remote servers or automating workflows across multiple systems.
  • For Penetration Testers: It limits lateral movement during assessments unless specific workarounds are employed.
  • For Security Posture: Misconfigurations like unconstrained delegation, can inadvertently expose environments to credential theft and impersonation attacks.

In short, mastering this issue is essential for both operational efficiency and robust cybersecurity practices.

Workarounds: Practical Solutions

Using PSCredential Objects

A straightforward solution involves explicitly passing credentials with each command using PowerShell’s PSCredential object:

$SecPassword = ConvertTo-SecureString 'YourPassword' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Domain\User', $SecPassword)
Invoke-Command -ComputerName DEV01 -ScriptBlock { Get-Service } -Credential $Cred

This method ensures that credentials are re-authenticated at each hop but requires manual setup for every command.

Registering PSSession Configurations

When working on a domain-joined host or using GUI access:

  • Register a new session configuration with elevated privileges:
Register-PSSessionConfiguration -Name CustomSession -RunAsCredential Domain\User
  • Restart the WinRM service:
Restart-Service WinRM
  • Use this configuration for subsequent sessions:
Enter-PSSession -ComputerName DEV01 -ConfigurationName CustomSession

This approach eliminates the need for repeatedly passing credentials but requires administrative rights and careful configuration.

Leveraging RDP or GUI Access

Remote Desktop Protocol (RDP) sessions cache credentials locally, allowing seamless multi-hop access. While not always feasible during penetration tests, this method is ideal for administrative tasks.

Exploring Advanced Techniques

Other methods include:

  • CredSSP (Credential Security Support Provider): Enables delegation of credentials but requires explicit configuration.
  • Port Forwarding or Proxying: Routes traffic through intermediate hosts without requiring multi-hop authentication.
  • Unconstrained Delegation: While effective, it poses significant security risks and should be avoided unless absolutely necessary.

Real-World Analogies

Think of Kerberos tickets as event passes:

  • A TGS is like a ticket for one specific concert—it gets you into that venue but nowhere else.
  • A TGT is akin to a VIP pass—it allows you to request tickets for multiple events without re-verifying your identity each time.

The “Double Hop” problem occurs when you forget your VIP pass at home and can’t get into subsequent events after attending the first one.

Statistics That Speak Volumes

According to industry reports:

  • Over 70% of organisations rely on Active Directory for identity management.
  • Misconfigurations like unconstrained delegation were exploited in 60% of AD-related breaches in recent years.

These figures underscore the importance of understanding both the limitations and risks associated with Kerberos authentication.

A Balancing Act

The Kerberos “Double Hop” problem exemplifies how security measures can sometimes clash with usability. While workarounds exist, they often involve trade-offs between convenience and security. For IT professionals and penetration testers alike, mastering these techniques is not just about overcoming technical hurdles, it’s about navigating complex environments with precision and foresight.

As we continue to rely on interconnected systems, understanding such nuances will only grow in importance.

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED

raiseChild.py: Active Directory Security Risks

Learn how raiseChild.py exploits Active Directory trust flaws for forest-wide attacks. Discover its risks and effective strategies to protect your…

More

Cross-Forest Trust Abuse: Kerberos Attack Guide

Learn how attackers exploit cross-forest trusts in Active Directory using Kerberoasting, password reuse, and SID history abuse. Defend your network…

More

Child-Parent AD Exploitation via Golden Tickets

Step-by-step guide to exploiting child-parent Active Directory (AD) trusts from Linux using Impacket tools. Learn cross-domain privilege escalation.

More

Understanding ExtraSIDs Attack in Cybersecurity

Discover the mechanics and implications of the ExtraSIDs Attack, a cybersecurity threat exploiting Windows SIDs. Learn detection and defence strategies.

More