Kerberos

How Kerberos Works

Deep Dive into Kerberoasting Attack - Hacking ArticlesHacking Articles

AS-REP Roasting

IOC differences between Kerberoasting and AS-REP RoastingMedium

Cracking Active Directory Passwords with AS-REP RoastingNetwrix Blog | Insights for Cybersecurity and IT Pros

Good recon

AS_REP Roasting vs Kerberoasting

Explaination

Kerberoasting

RBAC

Detecting Resource-Based Constrained Delegation AbuseSWolfSecurity

Services of Interest:

Possible operation	Service(s)	Description	Related note
PsExec-like file system access	CIFS	Remote execution of commands using PsExec-like utilities or full access to the machine file system.	Windows - Lateral movements [L7] 445 - SMB
WMI	HOST RPCSS	Remote execution of commands through Windows Management Instrumentation (WMI) (Win32_Process class for example).	Windows - Lateral movements
WinRM	Always necessary: HOST HTTP Host dependant: WSMAN RPCSS	PowerShell remoting through Windows Remote Management (WinRM).	Windows - Lateral movements [L7] 5985-5968 - WSMan
Windows services	HOST	Remote creation and/or execution of Windows services.	Windows - Lateral movements
Scheduled tasks	HOST	Remote creation and/or execution of Windows scheduled tasks.	Windows - Lateral movements
DCSync LDAP access	LDAP	LDAP requests, and notably allows, for service tickets to the LDAP service of a Domain Controller, the conduct of replication operations (DCSync).	[ActiveDirectory] ntds.dit dumping
RSAT	CIFS LDAP RPCSS	Use of the PowerShell cmdlets of the Windows Remote Server Administration Tools (RSAT) suite.	[ActiveDirectory] Domain Recon

Exploitation - Kerberos silver ticketsInfoSec Notes

Post Exploitation - Kerberos golden ticketsInfoSec Notes

Mitigation:

AD Forest Recovery - Resetting the krbtgt passwordMicrosoftLearn

TGTs are encrypted with the KRBTGT hash. Resetting it will invalidate all TGTs within the domain.

Note that the password history value for the KRBTGT account is 2, which means it includes the two most recent passwords. Therefore, to invalidate all TGTs currently in the system, you need to reset the password twice

Important: Be aware that changing the KRBTGT password will affect almost all subsequent Kerberos operations. In particular, all the TGTs that have been issued will be invalid since they were encrypted with the old password. However, all authenticated sessions that have been established to a resource (such as a file share, SharePoint site or Exchange server) are good until the service ticket is required to re-authenticate. Microsoft advises that rebooting a computer is the only reliable way to recover functionality, since this will force both the computer account and the user account to log back in again, which in turn ensures that they get new TGTs encrypted with the new KRBTGT password hash.

Golden ticket attacks: How they work — and how to defend against themThe Quest Blog

Kerberos ExplainedNetwrix Blog | Insights for Cybersecurity and IT Pros

Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active DirectoryActive Directory Security

Considerations:

• NTDS contains old and current passwords in it.

• E:\Windows\NTDS can be a mounted virtual share from vsphere vmdk file.