kerberos – WindowsTechs.com

Why can’t a user who is accessing the service on their own behalf find the "long term" keys to decrypt the service ticket and have to use U2U?

Posted on March 27, 2024 by Deoni Deon

I started to study how the U2U mechanism works and got confused. The gist is as follows. When we use U2U the service ticket will be encrypted with the session key KDC of the user-"server". which he will receive during Kerberos au… Continue reading Why can’t a user who is accessing the service on their own behalf find the "long term" keys to decrypt the service ticket and have to use U2U?→

Microsoft Ships Urgent Fixes for Critical Flaws in Windows Kerberos, Hyper-V

Posted on January 9, 2024 by Ryan Naraine

Patch Tuesday: Redmond patches critical, remote code execution vulnerabilities haunting Windows Kerberos and Windows Hyper-V.
The post Microsoft Ships Urgent Fixes for Critical Flaws in Windows Kerberos, Hyper-V appeared first on SecurityWeek.
Continue reading Microsoft Ships Urgent Fixes for Critical Flaws in Windows Kerberos, Hyper-V→

Hashed Password Kerberos PKDF2 AES – ActiveDirectory

Posted on December 20, 2023 by Matías Huartamendía

I know that in Active Directory environments passwords are stored in the form of hashes depending on encryption types used in the environment.
I understand also that when using AES as a symmetric encryption type, the user password goes thr… Continue reading Hashed Password Kerberos PKDF2 AES – ActiveDirectory→

SPNEGO-based Kerberos authentication: Should I create a new security context using `gss_init_sec_context` for every request?

Posted on December 10, 2023 by Shuzheng

I’m implementing SPNEGO-based Kerberos authentication for a Linux client application for authenticating requests to a Windows IIS server.
I’ve read RFC4559, which describes how authentication should be performed:
https://datatracker.ietf.o… Continue reading SPNEGO-based Kerberos authentication: Should I create a new security context using `gss_init_sec_context` for every request?→

How kerberos hashes its keys? [closed]

Posted on November 24, 2023 by sluge

My manager said that kerberos passwords are hashed using aes256-cts-hmac-sha1-96 & aes128-cts-hmac-sha1-96 algorithms.
I that these are hot hashing algorithms but encryption algorithms.
My manager send me an email:

For Kerberos authen… Continue reading How kerberos hashes its keys? [closed]→

Microsoft Improves Windows Security with a Path to Move Off NTLM

Posted on November 22, 2023 by Mary Branscombe

It’s time to stop relying on the insecure authentication protocol built into Windows. Microsoft is making it easier to switch to secure modern options. Continue reading Microsoft Improves Windows Security with a Path to Move Off NTLM→

Shadow Credentials attack with TGT and TGS

Posted on November 19, 2023 by Teodor Cristian

I am trying to replicate Shadow Credentials attack in Active Directory environment. My initial approach was to:

Use Whisker to create a new certificate on behalf of DC (successful):
Whisker.exe add /target:dc-2$

Use the newly created ce… Continue reading Shadow Credentials attack with TGT and TGS→

How to mitigate spoofing, keylogging password, stealing public key with smart card with external/internal smart card reader?

Posted on November 11, 2023 by user300431

Here is my thought process:
I want to use smartcards without passwords for my setup. We don’t want to use Iris or fingerprint or voice. I only want to put in the card whenever something needs to authenticate and when I take out the card wh… Continue reading How to mitigate spoofing, keylogging password, stealing public key with smart card with external/internal smart card reader?→

Browser kerberos authentication

Posted on November 7, 2023 by bluesky

On a Windows host, which is a member of AD domain and authentication is Kerberos-based, how does a browser get TGT and Service ticket to access a specific service? I want to understand what APIs it uses at the implementation level.

Continue reading Browser kerberos authentication→

Browser kerberos authentication

Posted on November 7, 2023 by bluesky

Continue reading Browser kerberos authentication→