Kerberos

How Kerberos Works

Deep Dive into Kerberoasting AttackHacking Articles

AS-REP Roasting

IOC differences between Kerberoasting and AS-REP RoastingMedium

Cracking Active Directory Passwords with AS-REP Roastingblog.netwrix.com

Good recon

AS_REP Roasting vs Kerberoastingluemmelsec.github.io

Explaination

Kerberoasting

RBAC

Detecting Resource-Based Constrained Delegation AbuseSWolfSecurity

Services of Interest:

Possible operation	Service(s)	Description	Related note
PsExec-like file system access	CIFS	Remote execution of commands using PsExec-like utilities or full access to the machine file system.	Windows - Lateral movements [L7] 445 - SMB
WMI	HOST RPCSS	Remote execution of commands through Windows Management Instrumentation (WMI) (Win32_Process class for example).	Windows - Lateral movements
WinRM	Always necessary: HOST HTTP Host dependant: WSMAN RPCSS	PowerShell remoting through Windows Remote Management (WinRM).	Windows - Lateral movements [L7] 5985-5968 - WSMan
Windows services	HOST	Remote creation and/or execution of Windows services.	Windows - Lateral movements
Scheduled tasks	HOST	Remote creation and/or execution of Windows scheduled tasks.	Windows - Lateral movements
DCSync LDAP access	LDAP	LDAP requests, and notably allows, for service tickets to the LDAP service of a Domain Controller, the conduct of replication operations (DCSync).	[ActiveDirectory] ntds.dit dumping
RSAT	CIFS LDAP RPCSS	Use of the PowerShell cmdlets of the Windows Remote Server Administration Tools (RSAT) suite.	[ActiveDirectory] Domain Recon

Exploitation - Kerberos silver tickets | InfoSec Notesnotes.qazeer.io

Post Exploitation - Kerberos golden tickets | InfoSec Notesnotes.qazeer.io

Mitigation:

AD Forest Recovery - Reset the krbtgt passwordMicrosoftLearn

TGTs are encrypted with the KRBTGT hash. Resetting it will invalidate all TGTs within the domain.

Note that the password history value for the KRBTGT account is 2, which means it includes the two most recent passwords. Therefore, to invalidate all TGTs currently in the system, you need to reset the password twice

Important: Be aware that changing the KRBTGT password will affect almost all subsequent Kerberos operations. In particular, all the TGTs that have been issued will be invalid since they were encrypted with the old password. However, all authenticated sessions that have been established to a resource (such as a file share, SharePoint site or Exchange server) are good until the service ticket is required to re-authenticate. Microsoft advises that rebooting a computer is the only reliable way to recover functionality, since this will force both the computer account and the user account to log back in again, which in turn ensures that they get new TGTs encrypted with the new KRBTGT password hash.

Golden ticket attacks: How they work — and how to defend against themThe Quest Blog

Explore Our Blog Articles | Netwrixblog.netwrix.com

Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active DirectoryActive Directory & Azure AD/Entra ID Security

Considerations:

• NTDS contains old and current passwords in it.

• E:\Windows\NTDS can be a mounted virtual share from vsphere vmdk file.