Windows show kerberos tickets

klist.exe: Kerberos Ticket Management

klist.exe is a command-line utility included with Windows operating systems that allows users and administrators to view and manage Kerberos tickets. Kerberos is the primary authentication protocol used in Active Directory domains, and understanding how to use klist is crucial for troubleshooting authentication and access issues.

Origin and Purpose

klist.exe is a native Windows component, developed by Microsoft as part of the Kerberos implementation within the operating system. Its primary purpose is to:

• Display cached Kerberos tickets: Show currently held Ticket Granting Tickets (TGTs) and service tickets.
• Purge the Kerberos ticket cache: Remove all cached tickets, forcing the client to re-authenticate.
• Troubleshoot Kerberos authentication problems: Analyze ticket details to diagnose issues related to domain logins, resource access, and single sign-on (SSO).
• List Kerberos Keytabs: Show Keytabs list.
• Diagnose Kerberos configuration Issues: Diagnose configuration Issues.

Is it a Virus?

No, klist.exe is not a virus. It is a legitimate and essential system file provided by Microsoft. If you find a file named klist.exe located outside of the %SystemRoot%\System32 directory (typically C:\Windows\System32), it might be a malicious imposter. However, the genuine klist.exe in its correct location is safe.

Can it Become a Virus?

klist.exe itself cannot «become» a virus. It’s a static executable file. However, as mentioned above, malware could masquerade as klist.exe by using the same filename and placing itself in a different directory. This is why it’s important to verify the file’s location and, if suspicious, scan it with a reputable antivirus program. Another potential (though less common) risk is if a vulnerability were discovered in klist.exe, it could theoretically be exploited by malware. However, Microsoft regularly releases security updates to address such vulnerabilities, so keeping your system up-to-date is crucial.

Usage and Examples

klist.exe is a command-line tool, meaning you interact with it through the Command Prompt (cmd.exe) or PowerShell. Open either of these as an administrator for full functionality (although some commands work without administrator privileges).

Here are some common klist commands and their explanations:

1. klist (or klist tickets)

This is the most basic command. It displays the currently cached Kerberos tickets for the logged-in user.

Output (Example):

Current LogonId is 0:0x3e7

Cached Tickets: (6)

#0>     Client: user @ EXAMPLE.COM
        Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 2/8/2025 10:00:00 (local)
        End Time:   2/8/2025 20:00:00 (local)
        Renew Time: 2/15/2025 10:00:00 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: dc1.example.com

#1>     Client: user @ EXAMPLE.COM
        Server: host/server1.example.com @ EXAMPLE.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 2/8/2025 10:15:00 (local)
        End Time:   2/8/2025 20:00:00 (local)
        Renew Time: 2/15/2025 10:00:00 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: dc1.example.com

...(other tickets)...

Explanation of Output:

• Client: The user principal name (UPN) of the user who holds the ticket.
• Server: The service principal name (SPN) of the service the ticket grants access to. krbtgt is the Kerberos Key Distribution Center (KDC) itself.
• KerbTicket Encryption Type: The encryption algorithm used for the ticket.
• Ticket Flags: Indicate the properties of the ticket (e.g., forwardable, renewable). Understanding these flags is essential for advanced troubleshooting.
• Start Time, End Time, Renew Time: The validity period of the ticket.
• Session Key Type: The encryption algorithm used for the session key.
• Cache Flags: Indicates whether the ticket is the primary TGT (usually 0x1).
• Kdc Called: The domain controller that issued the ticket.

2. klist tgt

This command specifically displays only the Ticket Granting Ticket (TGT). The TGT is used to obtain service tickets.

3. klist purge

This command purges (deletes) all cached Kerberos tickets for the current user session. This forces the user to re-authenticate to the domain to obtain new tickets. This is often a critical step in troubleshooting Kerberos issues, especially when a user’s password has been changed or there are suspected problems with cached credentials. Requires administrator privileges.

After running klist purge, you can check with ‘klist’ that the user has no cached tickets.

4. klist -li <LogonId>

This command displays tickets for a specific logon session. <LogonId> is a hexadecimal value representing a particular logon session (e.g., 0x3e7). You can find the LogonId in the output of the basic klist command. This is useful when multiple users are logged on to the same machine (e.g., via Remote Desktop Services).

5. klist -h or klist help

This shows a short help about parameters that klist.exe can use.

6. klist keytab

Displays the list of Kerberos keytabs and their entries on a local machine.

Troubleshooting with klist

Here are some common Kerberos troubleshooting scenarios and how klist can help:

• User cannot access a network resource:
  1. Run klist to check if the user has a valid service ticket for the resource. If not, try klist purge and then attempt to access the resource again.
  2. Check the ticket’s End Time to ensure it hasn’t expired.
  3. Examine the Ticket Flags to see if there are any restrictions preventing access.
  4. Check the Server field, make sure user has the right ticket.
• «Clock skew» errors: Kerberos is very sensitive to time differences between the client and the server. If the clocks are out of sync by more than a few minutes (typically 5 minutes by default), authentication will fail. klist can help you see the time the ticket was issued, which can help identify a time synchronization problem.
• Password change issues: If a user changes their password and continues to have problems, klist purge is often the first step to ensure they are using the new credentials.
• Delegation problems: Kerberos delegation allows a service to act on behalf of a user to access other resources. klist can show you if the necessary delegation flags are present on the service ticket.

Important Considerations

• Administrator Privileges: While some klist commands work without elevated privileges, klist purge and viewing tickets for other logon sessions require administrator rights.
• Time Synchronization: Kerberos relies on accurate time synchronization. Ensure your client and domain controllers are synchronized with a reliable time source.
• SPN Configuration: Service Principal Names (SPNs) must be correctly configured for Kerberos to function properly. Incorrect SPNs can lead to authentication failures.
• Network Connectivity: The client must be able to communicate with the domain controller (specifically the KDC) to obtain tickets.

klist.exe is a powerful tool for understanding and troubleshooting Kerberos authentication in Windows environments. By mastering its commands and interpreting its output, you can effectively diagnose and resolve a wide range of authentication and access issues.

To view or delete Kerberos tickets you can use the Kerberos List (Klist.exe). The Klist.exe is a command-line tool you can find in the Kerberos resource kit. You can only use it to check and delete tickets from the current logon session.

How to check if Kerberos authentication is enabled in Windows?

To use Kerberos authentication, you must make sure that all the following conditions are true:

How do I check my Kerberos authentication?

To determine whether a problem is occurring with Kerberos authentication, check the System event log for errors from any services (such as Kerberos, kdc, LsaSrv, or Netlogon) on the client, target server, or domain controller that provide authentication.

Which command is used to check the Kerberos ticket?

The klist command displays the contents of a Kerberos credentials cache or key table.

How do I get my Kerberos tickets?

If PAM is configured properly, a ticket is created automatically when you log in, and you need not do anything special to obtain a ticket. However, you might need to create a ticket if your ticket expires.

20 related questions found

What is Kerberos?

Kerberos is an authentication protocol. It is designed for client-server applications and requires mutual verification. It is the default protocol used for logging into a Windows machine that is part of a domain, relies on a secure communication channel between the client and the Domain Controller (DC). Windows updates address security concerns such as vulnerabilities in this channel, ensuring that the user database stored on the DC is protected.

Active Directory (AD) is a component running on the DC that implements the Kerberos account database (containing users and passwords). Kerberos messages are resilient against eavesdropping and replay attacks.

Картинка с сайта: calcomsoftware.com

It is important to make sure you manage Kerberos protocol when possible. Since some operations still need to use NTLM, Microsoft hasn’t yet disabled it. The main challenge is finding where you can shift to Kerberos. This hardening task ensures your attack surface is as small as possible. The best approach for this task is using automation. By automating the hardening process and securing your servers you won’t be risking production outages.

Kerberos Ticket and Authentication Explained

It works on the basis of tickets and relies on symmetric-key cryptography to ensure secure communication. Here’s a detailed explanation of how Kerberos authentication works.

Principals and Key Distribution Center (KDC)

In Kerberos, each entity (user or service) is known as a principal. The Key Distribution Center (KDC) acts as a trusted third party responsible for authenticating principals and issuing tickets.

The KDC consists of two main components:

• Authentication Server (AS)
• Ticket Granting Server (TGS)

The AS handles initial authentication requests and issues Ticket Granting Tickets (TGTs), while the TGS provides service tickets for accessing specific services.

Ticket Granting Ticket (TGT)

When a client wants to access a service, it first obtains a TGT from the AS. The TGT is a credential that allows the client to request service tickets without repeatedly authenticating with the AS.

Authentication Process

The authentication process begins when a client sends a request to the AS for authentication. This request typically includes the client’s identity and a request for a TGT. The AS verifies the client’s identity, usually by checking the client’s credentials (e.g., password), and if successful, issues a TGT encrypted with the client’s secret key. The client receives the TGT and stores it securely.

Service Ticket Request

When the client needs to access a specific service, it sends a request to the TGS, presenting the TGT obtained in the previous step. The request includes the desired service’s identifier (typically a service principal name) and a timestamp to prevent replay attacks.

Service Ticket Issuance

The TGS verifies the TGT presented by the client. If valid, the TGS issues a Service Ticket (ST) for the requested service. The TGS generates the ST by encrypting it with the service’s secret key, ensuring only the intended service can decrypt and validate the ticket.

Service Authentication

The client presents the ST to the desired service. The service decrypts the ST using its own secret key and verifies the client’s identity and authorization to access the service. If authentication is successful, the service grants access to the client, establishing a secure session for communication.

Session Establishment

Once authentication is successful, the client and service establish a secure session, allowing encrypted communication, often using keys derived from the exchanged tickets.

Ticket Expiration and Renewal

Tickets issued by the KDC have a limited validity period. Clients need to renew their tickets periodically to continue accessing services without authentication.

Overall, Kerberos authentication provides a robust and secure method for authenticating clients and servers in a networked environment, ensuring that only authorized entities can access protected resources. It employs cryptographic techniques and ticket-based authorization to prevent unauthorized access and protect sensitive information.

What happens inside the KDC?

The KDC includes two servers: 1. An authentication server (AS). 2. Ticket Granting Server (TGS).

When a client wants to verify himself to the KDC, he first connects with the AS. He presents to the AS his User ID, and requests a ticket to the targeted server. This request is partially encrypted with his password’s secret key (so that a plain password won’t be sent over an insecure network). The AS uses the client’s password to decrypt his request. This is how the AS verifies the user.

After verifying the client, the AS sends the client a Ticket Granting Ticket (TGT). The TGT is encrypted with a different secret key.

After the client gets the TGT, he sends it to the TGS along with his request to access the target server. When the TGS receives the TGT, it decrypts it with a secret key that he shares with the AS. The TGS issues a token for the client, that it encrypts with another key. This third key is shared between the TGS and the targeted server.

Finally, the client sends the token to the client-server. The targeted server will decrypt the token with the TGS shared key. Now the client can use the targeted server for a limited time (which is set by the token).

The Kerberos authentication process uses three different secret keys.
1. The first key between the client and the AS is based on the client’s password.
2. The AS and the TGS share another secret key.
3. The TGS and the targeted server.

Картинка с сайта: calcomsoftware.com

Kerberos Tickets

As mentioned in the previous section, the client requested and granted a ticket. This method is common and used in other programs such as Secure Shell (SSH).

How to check and delete Kerberos tickets:

To view or delete Kerberos tickets you can use the Kerberos List (Klist.exe). The Klist.exe is a command-line tool you can find in the Kerberos resource kit. You can only use it to check and delete tickets from the current logon session.

If you wish to use it your computer must be a member of a Kerberos realm. The Klist.exe uses the following syntax:

klist \[tickets | tgt | purge\] \[-?\]

We recommend destroying your Kerberos tickets after your use. To do that, you can add the kdestroy command to your .logout file.

How to create a Kerberos ticket

Some scenarios may require you to create. For example, when your ticket expires. To create a ticket using the ‘kinit’ command:

% /usr/bin/kinit

Kerberos Attacks

Kerberos was aiming to present a more secure alternative to other authentication protocols. But due to its popularity, hackers have developed ways to crack it. Here are three iconic Kerberos vulnerabilities:

1.) Kerberos Golden Ticket attack:

Kerberos Golden Ticket is the authentication token for the KRBTGT account. The KRBTGT is a hidden account responsible for encrypting all the authentication tokens for the DC. The Golden Ticket forges the TGT. An attacker can use this Golden Ticket with a Pass-the-Hash attack to move around the network.

2.) Kerberos Silver Ticket Attack:

Silver Tickets are services that forge the Kerberos Ticket Granting Services. That means that they have no communication with the DC. The Silver Ticket’s scope is limited to the specific service it is targeting on a specific server. Although its scope is smaller than the Golden Ticket, the Silver Ticket attack is still powerful. It enables persistence and stealthy access to resources.

3.) DCShadow attack:

This attack uses a feature in Mimikatz to simulate DC behavior. This allows the attacker to inject its own data. The attacker first has to hack into an account with DC credentials to push the data. It is very hard to detect this kind of attack.

Картинка с сайта: calcomsoftware.com

Kerberos Hardening Configuration

To minimize Kerberos attack surface there are several baseline hardening actions that you should take:

1. Make sure you use efficient encryption
2. Audit Authentication Service
3. Audit Service Ticket Operations
4. Ensure ‘Support device authentication using certificate’ is set to ‘Enabled: Automatic’

To make sure you don’t miss anything, we recommend using hardening automation when securing Kerberos configurations. Using server hardening automation can help you lower the risk for attacks. CalCom Hardening Suite is the perfect tool for this job.