Collaborate Disseminate
I have worked as a system administrator mainly on Widnows Server for some years now.
Over the course of time I’ve always had a hard time trying to fully understand how Kerberos work.
For about 3 weeks as of now I have been informing and st… Continue reading Kerberos – NTLM Password Hashes – Questions!
I identified several signs of attacks that use forged certificates inside the network and developed a Proof-of-Concept utility capable of finding artifacts in AD, as well as a number of detection logic rules that can be added to SIEM. Continue reading Anomaly detection in certificate-based TGT requests
I’m currently working on a lab for AD penetration testing and want some of the machines to have a logon, including the TGT, for a specific domain user cached. So far I couldn’t come up with anything better than using the Winlogon feature. … Continue reading simulating a domain user logon on machine startup
As you know, during a kerberoasting attack, we can intercept the TGS ticket and use brute force tools (john the ripper, hashcat) to find out the password of the service accounts that signed the TGS tickets.
Is it possible to do the same fo… Continue reading Is it possible to get krbtgt hash from TGT ticket?
Kerberoasting is an attack against domain service accounts.
I have a custom Windows service written in C#. This service is running on a Windows server. This server is a member of the Active Directory domain.
The service is running as a dom… Continue reading kerberoasting on a standard user domain account
It’s said that a Windows Machine Account Password is usually composed of 120 characters in UTF-16-LE format. But when looking at the value stored in the Windows Registry under HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal one finds a s… Continue reading How is a Windows Active Directory Machine Account Password stored in Windows/Samba Clients?
I have a question in my mind regarding the inner workings of Kerberos protocol. If the generation of the session key is somehow insecure, does this compromise the security of the Kerberos protocol?
I am thinking at the point of the Ticket … Continue reading Kerberos protocol attacks?
I’m using mimikatz to retrieve a user’s password hashes from Active Directory with the following command:
lsadump::dcsync /user:mimikatz
The user’s password is Pa55w.rd.
The output is
…
Credentials:
Hash NTLM: 377565f7d41787414481a283… Continue reading Why do I see LM hashes stored in Active Directory?
If you look at the above Kerberos protocol’s diagram, you can find that the protocol works on the basis that the (symmetric) client key initially exists on both the client node and the key distribution center.
Then, the question is, how c… Continue reading How can a client safely post/get a (symmetric) client key to/from a key distribution center?
In kerberoasting , User request service ticket for any service with registered SPN then use the ticket to crack service password.
But in kerberoses authentication process , KRB_TGS_REQ request is encrypted with TGS secret key which is held… Continue reading TGS Ticket in Kerberoasting