{"id":245,"date":"2025-02-03T00:00:00","date_gmt":"2025-02-02T23:00:00","guid":{"rendered":"https:\/\/kosokoking.com\/?p=245"},"modified":"2025-01-31T17:07:54","modified_gmt":"2025-01-31T16:07:54","slug":"fix-kerberos-double-hop-in-active-directory","status":"publish","type":"post","link":"https:\/\/kosokoking.com\/index.php\/security\/fix-kerberos-double-hop-in-active-directory\/","title":{"rendered":"Fix Kerberos “Double Hop” in Active Directory"},"content":{"rendered":"\n

Introduction<\/strong><\/h2>\n\n\n\n

Imagine trying to pass a message through a chain of people, only to discover that the critical piece of information, i.e. your identity, gets lost along the way. This is essentially the challenge posed by the Kerberos “Double Hop” problem. In today’s interconnected world, where lateral movement across systems is often essential for both legitimate operations and cybersecurity assessments, understanding and solving this issue is more critical than ever.<\/p>\n\n\n\n

The Kerberos “Double Hop” problem isn’t just a technical hiccup, but it’s a limitation rooted in how authentication works in distributed systems. By delving into its mechanics and exploring practical workarounds, we can demystify this challenge and empower you to navigate complex Active Directory (AD) environments with confidence.<\/p>\n\n\n\n

What Is the Kerberos “Double Hop” Problem?<\/strong><\/h2>\n\n\n\n

At its core, the “Double Hop” problem arises when Kerberos authentication fails to pass user credentials across multiple connections or “hops.” This typically happens when using Windows Remote Management (WinRM) or PowerShell remoting. Unlike NTLM-based authentication, which stores hashed credentials in memory for reuse, Kerberos relies on tickets issued by a Key Distribution Centre (KDC). These tickets are specific to the resource being accessed and are not forwarded to subsequent systems by default.<\/p>\n\n\n\n

For example:<\/p>\n\n\n\n

    \n
  • Hop 1<\/strong>: A user authenticates from their workstation to a remote server (e.g.,\u00a0DEV01) using Kerberos.<\/li>\n\n\n\n
  • Hop 2<\/strong>: The same user attempts to access another resource (e.g.,\u00a0DC01) from\u00a0DEV01. Here, the Kerberos ticket from the first hop doesn’t carry over, leading to an authentication failure.<\/li>\n<\/ul>\n\n\n\n

    This limitation can impede tasks like domain enumeration or accessing shared resources, making it a significant roadblock in both administrative operations and penetration testing.<\/p>\n\n\n\n

    Understanding the Mechanics<\/strong><\/h2>\n\n\n\n

    How Kerberos Authentication Works<\/strong><\/h3>\n\n\n\n

    Kerberos uses two types of tickets:<\/p>\n\n\n\n

      \n
    1. Ticket Granting Ticket (TGT):<\/strong>\u00a0Proves the user’s identity to the KDC.<\/li>\n\n\n\n
    2. Ticket Granting Service (TGS):<\/strong>\u00a0Grants access to specific resources.<\/li>\n<\/ol>\n\n\n\n

      In a single-hop scenario, the TGS is sufficient for accessing a resource. However, in multi-hop scenarios, the absence of the TGT prevents further ticket issuance, leading to authentication failures.<\/p>\n\n\n\n

      Why NTLM Doesn’t Have This Problem<\/strong><\/h2>\n\n\n\n

      NTLM stores hashed credentials in memory during a session. These hashes can be reused for subsequent authentications, enabling seamless multi-hop access. However, this approach is less secure than Kerberos, as cached credentials are more susceptible to attacks like pass-the-hash.<\/p>\n\n\n\n

      Why It Matters<\/strong><\/h2>\n\n\n\n

      The implications of the “Double Hop” problem extend beyond mere inconvenience:<\/p>\n\n\n\n

        \n
      • For IT Administrators:<\/strong>\u00a0It complicates tasks like managing remote servers or automating workflows across multiple systems.<\/li>\n\n\n\n
      • For Penetration Testers:<\/strong>\u00a0It limits lateral movement during assessments unless specific workarounds are employed.<\/li>\n\n\n\n
      • For Security Posture:<\/strong>\u00a0Misconfigurations like unconstrained delegation, can inadvertently expose environments to credential theft and impersonation attacks.<\/li>\n<\/ul>\n\n\n\n

        In short, mastering this issue is essential for both operational efficiency and robust cybersecurity practices.<\/p>\n\n\n\n

        Workarounds: Practical Solutions<\/strong><\/h2>\n\n\n\n

        Using PSCredential Objects<\/strong><\/h3>\n\n\n\n

        A straightforward solution involves explicitly passing credentials with each command using PowerShell’s PSCredential object:<\/p>\n\n\n\n

        \n
        $SecPassword = ConvertTo-SecureString 'YourPassword' -AsPlainText -Force<\/code><\/pre>\n\n\n\n
        $Cred = New-Object System.Management.Automation.PSCredential('Domain\\User', $SecPassword)<\/code><\/pre>\n\n\n\n
        Invoke-Command -ComputerName DEV01 -ScriptBlock { Get-Service } -Credential $Cred<\/code><\/pre>\n<\/div><\/div>\n\n\n\n
        This method ensures that credentials are re-authenticated at each hop but requires manual setup for every command.<\/p>\n\n\n\n
        Registering PSSession Configurations<\/strong><\/h3>\n\n\n\n
        When working on a domain-joined host or using GUI access:<\/p>\n\n\n\n
          \n
        • Register a new session configuration with elevated privileges:<\/li>\n<\/ul>\n\n\n\n
          Register-PSSessionConfiguration -Name CustomSession -RunAsCredential Domain\\User<\/code><\/pre>\n\n\n\n
            \n
          • Restart the WinRM service:<\/li>\n<\/ul>\n\n\n\n
            Restart-Service WinRM<\/code><\/pre>\n\n\n\n
              \n
            • Use this configuration for subsequent sessions:<\/li>\n<\/ul>\n\n\n\n
              Enter-PSSession -ComputerName DEV01 -ConfigurationName CustomSession<\/code><\/pre>\n\n\n\n
              This approach eliminates the need for repeatedly passing credentials but requires administrative rights and careful configuration.<\/p>\n\n\n\n
              Leveraging RDP or GUI Access<\/strong><\/h3>\n\n\n\n
              Remote Desktop Protocol (RDP) sessions cache credentials locally, allowing seamless multi-hop access. While not always feasible during penetration tests, this method is ideal for administrative tasks.<\/p>\n\n\n\n
              Exploring Advanced Techniques<\/strong><\/h3>\n\n\n\n
              Other methods include:<\/p>\n\n\n\n
                \n
              • CredSSP (Credential Security Support Provider):<\/strong>\u00a0Enables delegation of credentials but requires explicit configuration.<\/li>\n\n\n\n
              • Port Forwarding or Proxying:<\/strong>\u00a0Routes traffic through intermediate hosts without requiring multi-hop authentication.<\/li>\n\n\n\n
              • Unconstrained Delegation:<\/strong>\u00a0While effective, it poses significant security risks and should be avoided unless absolutely necessary.<\/li>\n<\/ul>\n\n\n\n
                Real-World Analogies<\/strong><\/h2>\n\n\n\n
                Think of Kerberos tickets as event passes:<\/p>\n\n\n\n
                  \n
                • A TGS is like a ticket for one specific concert\u2014it gets you into that venue but nowhere else.<\/li>\n\n\n\n
                • A TGT is akin to a VIP pass\u2014it allows you to request tickets for multiple events without re-verifying your identity each time.<\/li>\n<\/ul>\n\n\n\n
                  The “Double Hop” problem occurs when you forget your VIP pass at home and can’t get into subsequent events after attending the first one.<\/p>\n\n\n\n
                  Statistics That Speak Volumes<\/strong><\/h2>\n\n\n\n
                  According to industry reports:<\/p>\n\n\n\n
                    \n
                  • Over 70% of organisations rely on Active Directory for identity management.<\/li>\n\n\n\n
                  • Misconfigurations like unconstrained delegation were exploited in 60% of AD-related breaches in recent years.<\/li>\n<\/ul>\n\n\n\n
                    These figures underscore the importance of understanding both the limitations and risks associated with Kerberos authentication.<\/p>\n\n\n\n
                    A Balancing Act<\/strong><\/h2>\n\n\n\n
                    The Kerberos “Double Hop” problem exemplifies how security measures can sometimes clash with usability. While workarounds exist, they often involve trade-offs between convenience and security. For IT professionals and penetration testers alike, mastering these techniques is not just about overcoming technical hurdles, it’s about navigating complex environments with precision and foresight.<\/p>\n\n\n\n
                    As we continue to rely on interconnected systems, understanding such nuances will only grow in importance.<\/p>\n","protected":false},"excerpt":{"rendered":"
                    Master Kerberos authentication challenges with proven fixes for multi-hop access in AD environments. Essential for IT security teams.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[166,237,51,234,235,233,52,162,236,211],"class_list":["post-245","post","type-post","status-publish","format-standard","hentry","category-security","tag-active-directory-2","tag-credential-delegation","tag-cybersecurity","tag-double-hop-problem","tag-it-administration","tag-kerberos-authentication","tag-network-security","tag-penetration-testing","tag-powershell-remoting","tag-windows-remote-management"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/comments?post=245"}],"version-history":[{"count":1,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/245\/revisions"}],"predecessor-version":[{"id":246,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/245\/revisions\/246"}],"wp:attachment":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/media?parent=245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/categories?post=245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/tags?post=245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}