Kerberos
Last updated
Cracking Active Directory Passwords with AS-REP RoastingNetwrix Blog | Insights for Cybersecurity and IT ProsLast updated
| Possible operation | Service(s) | Description | Related note |
|---|---|---|---|
|
| Remote execution of commands using |
|
|
| Remote execution of commands through |
|
| Always necessary:
|
|
|
Windows services |
| Remote creation and/or execution of Windows services. |
|
Scheduled tasks |
| Remote creation and/or execution of Windows scheduled tasks. |
|
|
|
|
|
|
| Use of the PowerShell cmdlets of the Windows |
|
TGTs are encrypted with the KRBTGT hash. Resetting it will invalidate all TGTs within the domain.
Note that the password history value for the KRBTGT account is 2, which means it includes the two most recent passwords. Therefore, to invalidate all TGTs currently in the system, you need to reset the password twice
Important: Be aware that changing the KRBTGT password will affect almost all subsequent Kerberos operations. In particular, all the TGTs that have been issued will be invalid since they were encrypted with the old password. However, all authenticated sessions that have been established to a resource (such as a file share, SharePoint site or Exchange server) are good until the service ticket is required to re-authenticate. Microsoft advises that rebooting a computer is the only reliable way to recover functionality, since this will force both the computer account and the user account to log back in again, which in turn ensures that they get new TGTs encrypted with the new KRBTGT password hash.
NTDS contains old and current passwords in it.
E:\Windows\NTDS can be a mounted virtual share from vsphere vmdk file.
