Full Report
In this article, I’ll walk you through the basics of Kerberos, how to use Titanis for the different parts, and how to mitigate some problems.Titanis SetupI use Titanis tools throughout this article to demonstrate…
Analysis Summary
# Tool/Technique: Titanis Toolset (Focus on Kerberos/Ldap)
## Overview
Titanis is a versatile toolset developed by TrustedSec designed for interacting with Active Directory and Kerberos protocols. It is used by security researchers and penetration testers to perform authentication exchanges, query LDAP, and manipulate Kerberos tickets (TGTs/TGSs) to validate security postures or demonstrate exploitation paths such as PKINIT-based authentication and ticket requests.
## Technical Details
- **Type:** Tool / Framework
- **Platform:** Windows / Linux (Cross-platform via environment variable support and ticket cache files)
- **Capabilities:** Kerberos AS/TGS exchanges, PKINIT authentication, LDAP querying, ticket cache management, and automated parameter handling through environment variables.
- **First Seen:** 2024 (TrustedSec documentation release)
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- **[T1558 - Steal or Forge Kerberos Tickets]**
- **[T1558.003 - Kerberoasting]**
- **[T1558.004 - AS-REP Roasting]**
- **[TA0001 - Initial Access]**
- **[T1556.003 - Modify Authentication Process: Built-in Authentication Mechanism]**
- **[TA0007 - Discovery]**
- **[T1087.002 - Account Discovery: Domain Account]**
- **[T1069.002 - Permission Groups Discovery: Domain Groups]**
## Functionality
### Core Capabilities
- **Kerberos Exchange Management:** Facilitates Authentication Server (AS) and Ticket-Granting Service (TGS) exchanges.
- **Identity Profiling:** Supports multiple authentication profiles (Password-based, PKINIT/Certificate-based) using environment variables to reduce manual input.
- **Ticket Interoperability:** Uses the standard `KRB5CCNAME` variable, allowing it to interact with other ticket-handling tools and the local OS ticket cache.
### Advanced Features
- **PKINIT Support:** Allows for modern Kerberos authentication using digital certificates (`.pfx` files) rather than legacy passwords.
- **LDAP Integration:** The `Ldap` tool within the suite allows for querying Active Directory attributes (e.g., `userAccountControl`, `msDS-KeyCredentialLink`) directly related to Kerberos security.
- **Automated Defaulting:** Uses `TITANIS_DEFAULT_*` environment variables to streamline complex command-line operations across different target identities.
## Indicators of Compromise
- **File Names:** `Kerb`, `Ldap` (Titanis binaries), `.ccache` files (typically associated with Linux Kerberos caches, but used here for ticket storage).
- **Environment Variables:**
- `TITANIS_DEFAULT_KDC`
- `TITANIS_DEFAULT_USERNAME`
- `TITANIS_DEFAULT_USERCERT`
- `TITANIS_DEFAULT_PASSWORD`
- **Network Indicators:** Traffic typically occurs over Port 88 (Kerberos) and Port 389/636 (LDAP/S) toward Domain Controllers.
- **Behavioral Indicators:** Frequent AS-REQ or TGS-REQ packets coming from an unusual workstation; repeated queries for Service Principal Names (SPNs).
## Associated Threat Actors
- Primarily used by **Red Teams, Penetration Testers, and Security Researchers**.
- While specific APT groups are not listed in the article, the techniques facilitated by Titanis (Kerberoasting, PKINIT manipulation) are common among sophisticated state-sponsored actors and ransomware operators.
## Detection Methods
- **Signature-based detection:** Detection of the Titanis toolset binaries or specific command-line arguments (e.g., `-TicketCache`, `-UserCert`).
- **Behavioral detection:**
- Monitoring for **Event ID 4768** (Authentication Ticket Request) and **Event ID 4769** (Service Ticket Request) for suspicious volume or encryption types (e.g., RC4).
- Monitoring for LDAP searches targeting sensitive sensitive attributes like `servicePrincipalName`.
- **YARA:** Rules targeting the unique strings within the Titanis Go or C# compiled binaries.
## Mitigation Strategies
- **Hardening:** Disable RC4-HMAC encryption and enforce AES-128/256 for Kerberos.
- **Credential Protection:** Use Protected Users Security Group for high-privileged accounts to prevent TGT delegation and limit credential exposure.
- **Monitoring:** Enable "Audit Kerberos Service Ticket Operations" to detect mass TGS requests (Kerberoasting).
- **Certificate Security:** Protect PKI infrastructure to prevent unauthorized issuance of certificates that could be used for PKINIT authentication.
## Related Tools/Techniques
- **Rubeus:** A C# toolset for Kerberos interaction and abuses.
- **Impacket:** A collection of Python classes for working with network protocols, including Kerberos and LDAP.
- **Mimikatz:** Used for extracting Kerberos tickets from memory.
- **PKINIT:** The protocol extension used for certificate-based Kerberos login.