π« Ticket Granting Ticket (TGT) β
π What is a Ticket Granting Ticket (TGT) ? β
In the Kerberos authentication protocol, a Ticket Granting Ticket (TGT) is a special type of ticket that allows a client to obtain additional tickets for accessing various services without needing to re-enter their credentials. The TGT is issued by the Key Distribution Center (KDC) and plays a crucial role in the Kerberos authentication process.
π How TGT Works β
- Initial Authentication: When a user logs in, their client sends an authentication request to the
KDC's Authentication Server (AS)with their credentials. - TGT Issuance: If the credentials are valid, the
ASissues aTGT, which isencrypted with the KDC's secret key. This TGT includes theuser's identityand anexpiration time. - Service Requests: The client uses the TGT to
request service ticketsfrom theTicket Granting Server (TGS)for accessing specific services. - Service Ticket Issuance: The TGS verifies the TGT and issues a
service ticket, allowing the client to access the requested service.
𧱠Structure of a TGT β
A TGT contains several important pieces of information, including :
- Client Principal: The
identity of the user or servicethat requested the TGT. - Session Key: A
symmetric keyused toencrypt communicationsbetween the client and the KDC. - Timestamp: The
timeat which the TGT was issued. - Lifetime: The
validity periodof the TGT. After this period, the TGT expires, and the client must request a new one. - Flags: Various flags indicating
properties and optionsof the TGT, such as whether it isforwardableorrenewable.
describeTicket Administrator.ticketImpacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key : edd399914c4a9c46f87eb744ab5f4a0660976204425de400ba9a7cb132e91a38
[*] User Name : Administrator
[*] User Realm : RED.LAB
[*] Service Name : krbtgt/RED.LAB
[*] Service Realm : RED.LAB
[*] Start Time : 18/07/2024 15:38:14 PM
[*] End Time : 19/07/2024 01:38:14 AM
[*] RenewTill : 19/07/2024 15:38:10 PM
[*] Flags : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType : aes256_cts_hmac_sha1_96
[*] Base64(key) : 7dOZkUxKnEa4fedErl9KCmCXYgRCXeQAvZp8tTPpGjg=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*] Service Name : krbtgt/RED.LAB
[*] Service Realm : RED.LAB
[*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were suppliedβ‘οΈ TGT Renewal and Forwarding β
Renewal β
A TGT can be renewable, meaning it can be extended beyond its initial lifetime without requiring the user to re-enter their credentials. To renew a TGT, the client sends a renewal request to the KDC before the TGT expires.
kinit -RklistTicket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@RED.LAB
Valid starting Expires Service principal
07/18/2024 15:47:30 07/19/2024 01:47:30 krbtgt/RED.LAB@RED.LAB
renew until 07/19/2024 15:38:10Forwarding β
A forwardable TGT can be used to request a new TGT for a different device, allowing the user to maintain their identity and session across multiple systems. This is particularly useful in environments where single sign-on (SSO) is implemented.