kerberos - EvanMcBroom/lsa-whisperer GitHub Wiki
The kerberos authentication package (AP) supports domain logons. It is also the security package (SP) for Microsoft kerberos v1.0 authentication on a network. As of NT 10.0.26100, the AP implements a local KDC to also support remote authentication with local user accounts using kerberos.
-
Functions
- AddBindingCacheEntry
- AddBindingCacheEntryEx
- AddExtraCredentials
- AddExtraCredentialsEx
- ChangeMachinePassword
- ChangePassword
- CleanupMachinePkinitCreds
- DebugRequest
- DecryptData
- PinKdc
- NetworkTicketLogon
- PrintCloudKerberosDebug
- NlChangeMachinePassword
- PurgeBindingCache
- PurgeKdcProxyCache
- PurgeTicketCache
- PurgeTicketCacheEx
- QueryBindingCache
- QueryDomainExtendedPolicies
- QueryKdcProxyCache
- QuerySupplementalCredentials
- QueryTicketCache
- QueryTicketCacheEx
- QueryTicketCacheEx2
- QueryTicketCacheEx3
- QueryS4U2ProxyCache
- RefreshPolicy
- RefreshSmartcardCredentials
- RetrieveEncodedTicket
- RetrieveKeyTab
- RetrieveTicket
- SetPassword
- SetPasswordEx
- SubmitTicket
- TransferCredentials
- UpdateAddresses
- VerifyCredentials
- VerifyPac
- UnpinAllKdcs
The protocol messages that kerberos supports is partially documented on MSDN[1]. Some of the documented message IDs are also not correct. The full and correct list of messages that kerberos supports is provided here:
| Id | Message Type | CLI Support | NT Version | Internal Function |
|---|---|---|---|---|
|
|
➖ |
|
|
|
|
✔️ |
|
|
|
|
❌ |
|
|
|
|
Planned |
|
|
|
|
✔️ |
|
|
|
|
❌ |
|
|
|
|
✔️ |
|
|
|
|
|
|
|
|
|
✔️ |
|
|
|
|
➖ |
|
|
|
|
✔️ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
❌ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
|
|
|
|
|
✔️ |
|
|
|
|
❌ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
|
|
|
|
|
Planned |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
✔️ |
|
|
|
|
➖ |
|
? |
|
|
✔️ |
|
|
|
|
➖ |
|
? |
|
|
✔️ |
|
|
|
✏️
|
The internal function for each message type will be located in kerberos.dll.
|
Messages DebugRequest and DecryptData and their internal functions are only available in debug builds of kerberos.dll.
The RefreshPolicy message is also not available in release builds of kerberos.dll, likely due to the same reason, but this could not be confirmed.
Add an entry to the binding cache for the machine.
kerberos AddBindingCacheEntry --domain-name {name} --dc-address {Inet or NetBIOS address}Add an entry to the binding cache for the machine.
The dc-flags value may be any combination of DC types as described by the DS_* macros in DsGetDC.h (ex. 1 for DS_PDC_FLAG).
kerberos AddBindingCacheEntryEx --domain-name {name} --dc-address {Inet or NetBIOS address} [--dc-flags {value}]Documented in NTSecApi.h as adding "server credentials" to a given logon session, only applicable during AcceptSecurityContext, and requiring TCB to alter "other" credentials.
Specifically, during the AcceptSecurityContext for Kerberos an AP-REQ will be checked to be valid and decrypted.
Kerberos will attempt to use any supplied extra credentials in addition to the logon session’s primary credentials when attempting to decrypt the AP-REQ.
The command allows a user to add, replace, or remove the additional credential.
The password is not required when removing a credential.
kerberos AddExtraCredentials --domain-name {name} --user-name {name} --password {password} [--replace-cred | --remove-cred]Behaves the same as the AddExtraCredentials command but allows a user to add a list of "principal names" to the credential.
The command notifies Kerberos that the password for the machine has changed. The command will use client supplied pointers to reference LSASS’s own memory without checking if the client is LSASS itself. A client is intended to allocate and reference valid memory in LSASS’s own process for the command to succeed. As such, the command is not currently planned for inclusion in the project.
Changes a user’s password in a Windows domain or configured non-Windows Kerberos realm that supports the Kerberos Password Change Protocol. The caller must know the user’s current password to change it.
Purge any PKINIT device credentials from the current machine.
SeTcbPrivilege is required and the luid must be either 996 (e.g., NETWORKSERVICE_LUID) or 999 (e.g., SYSTEM_LUID).
kerberos CleanupMachinePkinitCreds [--luid {session id}]The DebugRequest command is not included with release builds of Windows.
The command originally supported allowing users to issue a breakpoint for a kernel debugger, gather statistics about the kerberos ticket cache, and generate a token for the Administrator user.
Current debug builds of Windows may support additional debug requests.
The DecryptData command is not included with release builds of Windows.
The original command allowed users to decrypt a buffer with either a specified key or the primary key a logon session.
Pin a KDC as described by James Forshaw and Nick Landers.
The command cannot be called from WOW64 clients.
The dc-flags value may be any combination of DC types as described by the DS_* macros in DsGetDC.h (ex. 1 for DS_PDC_FLAG).
kerberos PinKdc --domain-name {name} --dc-name {name} [--dc-flags {value}]Get cloud kerberos configuration information.
kerberos PrintCloudKerberosDebugCreates a machine password bound by CredGuard, then changes the password on the KDC machine account, the password cache (e.g., the registry), and the logon credentials if applicable.
kerberos NlChangeMachinePassword [--impersonating]Remove all binding cache entries for the machine.
SeTcbPrivilege is required.
kerberos PurgeBindingCacheThe PurgeKdcProxyCache command has not been fully tested, but should should remove cached KDC proxy tickets.
SeTcbPrivilege is required to specify another logon session.
kerberos PurgeKdcProxyCache [--luid {session id}]Purge tickets in the ticket cache for a logon session.
A server name and realm may be used to filter which tickets should be purged.
The server name and realm must both be specified to be used.
If both are not specified then all tickets will be purged.
SeTcbPrivilege is required to specify another logon session.
kerberos PurgeTicketCache [--luid {session id}] [--server-name {name} --server-realm {name}]Functions the same as the PurgeTicketCache but allows you to specify a client name and realm to filter tickets by.
The client name and realm must both be specified to be used.
The command also allows you to explicitly purge all tickets.
If purging all tickets is explicitly specified then all ticket filters will be ignored.
kerberos PurgeTicketCacheEx [--luid {session id}] [--all] [--client-name {name} --client-realm {name}] [--server-name {name} --server-realm {name}]Get information about the binding cache for the machine.
SeTcbPrivilege is required.
kerberos QueryBindingCacheGet the extended policy information for a domain.
kerberos QueryDomainExtendedPolicies --domain-name {name}The QueryKdcProxyCache command has not been fully tested, but should provide information about KDC proxy cached tickets.
SeTcbPrivilege is required to specify another logon session.
kerberos QueryKdcProxyCache [--luid {session id}]Get the TGT and password information for a credential manager blob. The command will check if the client is LSASS itself. As such, the command is not currently planned for inclusion in the project.
Show the server name, realm name, start time, end time, renew time, encryption type, and flags for each ticket in the ticket cache for the current logon session.
SeTcbPrivilege is required to specify another logon session.
kerberos QueryTicketCache [--luid {session id}]Functions the same as the QueryTicketCache but will additionally return the client name and realm for each ticket.
kerberos QueryTicketCacheEx [--luid {session id}]Functions the same as the QueryTicketCacheEx but will additionally return the session key type and branch ID for each ticket.
kerberos QueryTicketCacheEx2 [--luid {session id}]Functions the same as the QueryTicketCacheEx2 but will additionally return the cache flags and KDC name for each ticket.
kerberos QueryTicketCacheEx3 [--luid {session id}]Get the proxy cache information for a service for user (S4U) logon.
kerberos QueryS4U2ProxyCache [--luid {session id}]The RefreshPolicy command is not included with release builds of Windows.
The use of the command is not currently known.
Notifies Kerberos when the smart card credentials need to be updated. Implemented to allow the Winlogon session to refresh credentials as needed on terminal server connects and re-connects.
Get a ticket either by querying the ticket cache for the current logon session or by requesting the ticket from the current KDC.
SeTcbPrivilege is required to specify another logon session.
If the requested ticket is a TGT, SeTcbPrivilege is required to additionally get the session key for the TGT.
If the TGT was obtained when Credential Guard was active, the returned TGT session key will not be valid, making the TGT unusable.
kerberos RetrieveEncodedTicket --target-name {server name} [--luid {session id}] [--ticket-flags {value}] [--cache-option {value}] [--enc-type {type}]Return the keytab data for a domain user.
kerberos RetrieveKeyTab --domain-name {name} --user-name {name} --password {password}Get the TGT from the ticket cache of the specified user logon session.
SeTcbPrivilege is required to additionally get the session key for the TGT.
If the TGT was obtained when Credential Guard was active, the returned TGT session key will not be valid, making the TGT unusable.
kerberos RetrieveTicket --target-name {server name} [--luid {session id}] [--ticket-flags {value}] [--cache-option {value}] [--enc-type {type}]Changes a user’s password in a Windows domain or configured non-Windows Kerberos realm that supports the Kerberos Password Change Protocol. The caller does not need to know the user’s current password to change it.
Behaves the same as the SetPassword command but allows a user to specify a client name and realm.
Adds a supplied ticket to the ticket cache for the current logon session.
SeTcbPrivilege is required to specify another logon session.
Transfer data between two kerberos logon sessions. The specific data that is transferred and privileges that may be required are still being determined. The function only accepts the cleanup credentials and optimistic logon flags.
kerberos TransferCredentials --sluid {session id} --dluid {session id} [--cleanup-credentials] [--optimistic-logon]Updates the IP addresses used by netlogon. The command will check if the client is LSASS itself. As such, the command is not currently planned for inclusion in the project.
Verify the user name and password for a domain user. The command will check if the client is LSASS itself. As such, the command is not currently planned for inclusion in the project.
Verifies that a PAC was signed by a valid KDC. A client is intended to issue the command using a passthrough request to the KDC and it is the only passthrough command that the kerberos package supports.