Collaborate Disseminate
Imagine the following scenario: A company network with "domain joined" linux clients (e.g they have a HOST$@DOMAIN.LOCAL principal in their keytabs file + A computer entry in the DC).
Now an attacker gains access to this network … Continue reading NFS4+Kerberos: Is the client authenticated?
I just want to confirm behavior of Kerberos and how the tickets work, as I only have a basic understanding. From what it sounds like, the user’s password hash is only used to gain the initial TGT. After that, if the TGT is valid, they are … Continue reading Kerberos TGT behavior after password change
Consider the diagram in https://en.wikipedia.org/wiki/Kerberos_(protocol)#/media/File:Kerberos_protocol.svg depicting the Kerberos protocol.
I’m wondering how the authentication server (AS) is useful.. Couldn’t we drop the messages A, B, C… Continue reading Why is the authentication server needed in the Kerberos protocol
There is an attack on Active Directory named "Kerberoasting": https://attack.mitre.org/techniques/T1558/003/
I ask TGS for ticket to access some SPN
Part of this ticket is encrypted with SPN’s password hash (something that only … Continue reading Why AD Kerberos uses password hash and not session key for tickets?
I’m running a pentest and I’ve managed to get man-in-the-middle access between a machine and a domain controller. A process on the machine will log into the DC, as a domain admin, to get a Kerberos ticket. I can see the AS-REQ/AS-REP &… Continue reading How to extract Kerberos ticket from Wireshark?
Setup:
Some service (SAS, HTTP, mongodb) running on a Linux server and using Windows AD/Kerberos for SSO.
On Linux, httpd is running as the http (Unix) account, and mariadb is running as "mariadb" (Unix) account.
Understanding:… Continue reading kerberoasting: Usefulness of hacking a SSO (GSSAPI/SPNEGO) service on Linux
Currently looking for a way to prevent unauthenticated user enumeration on a Domain Controller. This is a security precaution I’d like to implement, next to the existing measures taken prevent unauthorized DC access.
Kerbrute states the fo… Continue reading Is it possible to prevent Kerbrute from unauthenticated user enumation Active Directory?
An Active Directory domain is deployed, a domain controller on Windows Server 2019. A computer with SQL Server 2016 is added to it, which is launched under the srv service account. The attacker has unprivileged access to this SQL Server fr… Continue reading Equivalence of UNC Path Injection and Kerberoasting Attacks on SQL Server
I’m playing with mimikatz kerberos::golden, e.g.,
kerberos::golden /domain:XXX /sid:XXX /user:XXX /aes256:XXX /endin:864000 /renewmax:10240 /ptt
Then I tried to access a domain joined machine, but I got access denied:
dir \\IP_address\C$
… Continue reading Kerberos golden ticket works with DNS only – access denied with IP address
Microsoft describes the communication steps to receive a TGS as follows:
client asks Kerberos DC for Ticket Granting Ticket
client receives TGT (if authenticated successfully)
client asks KDC for Ticket Granting Service, to get access to … Continue reading Kerberos Ticket Granting Service TGS – order of communication steps