new | ask | show | jobs
cybergreg 3 days ago  [ - ]

Good overview of Kerberoasting, still a common attack chain. A couple things though: To obtain access to a service, you actually need to get a service ticket (TGS) from the KDC (Domain Controller) to authenticate to the service, not a TGT. The TGT is the first ticket acquired during authentication to the domain. In addition, the "salt" is not a true salt but a concatenation of the domain and principal name, so even worse. Active Directory (invented at MIT) supports RC4, AES128, and AES256 encryption types, however you can effectively disable RC4 via Group Policy. The reason RC4 is still supported is to support legacy systems. Many organizations use old software that only supports RC4. For example, I've run into many manufacturing and small businesses that have no choice but to use it and can't upgrade the software due to $$$. Anyway, good stuff! Shout out to Tim Medin, who published this back in 2014.

gnufx 3 days ago  [ - ]

> Active Directory (invented at MIT)

AD was invented by Microsoft, gluing together Kerberos (from MIT) and LDAP (from UMich). If it was from MIT, we wouldn't have had Windows 2000's infamous proprietary PAC.

canucker2016 3 days ago  [ - ]

History of Active Directory (derived from MS Exchange), see https://hardcoresoftware.learningbyshipping.com/p/bonus-the-...

thedufer 3 days ago  [ - ]

> you actually need to get a service ticket (TGS)

If we're being pedantic, TGS ("ticket granting server") is the service you get service tickets from. Service tickets are (occasionally) abbreviated ST, as you'd expect. The TGS is a logical part of the KDC, distinguished from the AS which grants TGTs.

Graphon1 3 days ago  [ - ]

Kerbernerd revealed.

timmedin 2 days ago  [ - ]

Just to add to this, the salt (domain [realm] and username) is only used to generate the AES keys, not the RC4. The RC4 key is simply the NT hash.

And thanks for the shout out!

kstrauser 3 days ago  [ - ]

It’s been ages since I stood up a Kerberos realm, but… would it be possible to allow RC4 only for specific users? Like encrypt win98server@example.com’s heavily locked down account with RC4, but everyone else gets AES-256?

spydum 3 days ago  [ - ]

Yes you can enable specific encryption types for users. It's not super common, but it can be done.