Secondary Categories: 02 - Cryptography Links: Kerberoasting ASREP Roasting Unconstrained Delegation Constrained Delegation Alternate Service Name S4U2 Self Abuse Resource Based Constrained Delegation (RBCD) Search Tag:📕
Kerberos
Description:
- When a user logs into their workstation their machine will send an AS-REQ message to the Key Distrubution Center (KDC) which is the Domain Controller and request a TGT using a secret key derived from the users password.
- The KDC verifies the secret key with the password it has stored in AD for that user. Once validated it returns the TGT in an
AS-REP message. The TGT contains the users identity and is encrypted with the KDC secret key (krbtgt account) - When the user attempts to access a resource backed by Kerberos authentication like a file share the requestee machine looks up the associated Service Principle Name (SPN) and it request a (TGS-REQ) a Ticket Granting Service Ticket (TGS) for that service frim the KDC and presents its TGT as a means of proving theyre a valid user.
- The KDC returns a TGS (TGS-REP) for the service in question to the user, which is then presented to the actual service. The service inspects the TGS and decides whether it should grant the user access or not.
Resources:
| Title | URL |
|---|---|
| place | holder |
Created Date: November 20th 2022 16:12
Last Modified Date: November 20th 2022 16:12