☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  1. Windows
  2. Active Directory

Kerberos Authentication

PreviousActive DirectoryNextEnumeration

Last updated 3 years ago

If a user wants to obtain access to resources within a Active Directory network, he must obtain a ticket through a 6-step process.

First, he sends a request to the Kerberos Distribution Center (KDC) with his password hash and a timestamp. (AS-REQ)

Second, if the password hash of the user matches that for the user on the KDC, the user receives a Ticket Granting Ticket encrypted and signed by the krbtgt account. (AS-REP)

Third, the TGT, including the krbtgt hash, is sent to the KDC or DC in order to recieve a Kerberos Service Ticket (TGS). (TGS-REQ)

Fourth, the user then receives a TGS encrypted with the hash of the service account he wishes to access. (TGS-REP)

Fifth, the user then connects to the server and attempts to use the service he sent the initial request for with the TGS included. (AP-REQ)

Last, the user gains access and mutual authentication is given between the server and client if necessary (AP-REP).

From PentesterAcademy.com