Windows

Local KDC For Windows – Implementing Kerberos Authentication Without Domain Membership

This is an example program that can run a Kerberos Key Distribution Center (KDC) on a Windows host and have Windows authenticate to that without joining it to a domain. The code in here is a proof of concept and does not cover all use cases.

How It Works

Contrary to popular belief, Windows does not need to be joined to a domain to work with Kerberos authentication.

If provided with enough information it can attempt to locate the KDC and request the TGT and service ticket from it.

For example if someone attempts to access the fileshare \\server\share with the credential user@contoso.com Windows will attempt to find the KDC for the realm contoso.com.

The DC locator process is documented here but I’ve found that either not all the information is shared or is slightly different in real life.

Based on my investigations I’ve found this is what happens.

  • Windows sends a DNS query for the SRV record _kerberos._tcp.dc._msdcs.{realm}
    • {realm} is replaced by the realm in question, for example _kerberos._tcp.dc._msdcs.contoso.com
    • The _ldap._tcp.dc._msdcs.{realm} record is also used by nltest.exe /dsgetdc but SSPI uses _kerberos only in its lookups
    • The LocalKdc.exe program sets both so both scenarios works
  • Windows sends an unauthenticated LDAP search request over UDP to retrieve the domain info
    • This is covered in more details under LDAP Ping
    • The search request filter is in the form of (&(DnsDomain=...)(DnsHostName=...)(Host=...)(NtVer=...))
    • The DnsDomain is the realm being requested
    • The Host is the client’s Netbios hostname
    • The DnsHostName is the client’s DNS hostname
    • The NtVer is a 32-bit integer flags for NETLOGON_NT_VERSION Options
  • The LDAP server replies with a single result with a single attribute called Netlogon containing the domain info

Once validated Windows will then use the host returned by the SRV record as the KDC for Kerberos authentication.

When running a local KDC we have all the tools necessary to configure Windows to use a locally running KDC for Kerberos authentication.

The LocalKdc C# project in this repo runs a DNS, LDAP, and KDC service on localhost and configures the DNS Name Resolution Policy Table (NRPT) to redirect and DNS queries for our realm to the local DNS service.

From there when attempting to authenticate with Kerberos to our realm, Windows will go through the DC locator process with our custom service which just points back to localhost.

The KDC uses Kerberos.NET as the underlying library but any other KDC could theoretically work here.

It should also be possible to edit the code so listening KDC port just tunnel the data to another KDC located elsewhere but that’s outside the scope of this repo.

The DNS NRPT setup is what allows us to point Windows to our local DNS server when querying a custom namespace.

The PowerShell cmdlet Add-DnsClientNrptRule can be used to create these rules manually but this program will do so automatically.

Add-DnsClientNrptRule -Namespace contoso.test, .contoso.test -NameServers 127.0.0.1

For more information click here.

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

18 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

18 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago