Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • NTLM Authentication
  • Kerberos Authentication
  • Stage 1 - Client to Domain Controller (Initial Authentication)
  • Stage 2 - Client to Domain Controller (Service Access)
  • Stage 3 - Client to SPN

Was this helpful?

  1. Active Directory

AD Kerberos

PreviousExploitation MethodologyNextInvoke-Kerberoast - Shortcut

Last updated 1 year ago

Was this helpful?

With the completion of recon you should have the list of users/accounts, groups and SPNs within the domain. With this information you should be able to compromise all the systems within the domain by cracking the authentication.

NTLM Authentication

NTLM authentication is used when a client authenticates to a hostname that is not registered with the Active Directory or the user uses IP address for authentication. The authentication process is as follows,

  1. Calculate a cryptographic hash, called the NTLM hash, from the user's password

  2. Client submits the username and the server in turn responds with a nonce

  3. Client then encrypts the nonce with the NTLM hash

  4. The server then sends the username and encrypted nonce to the domain controller to validate the user

  5. The domain controller encrypts the nonce with the NTLM hash of the user

Kerberos Authentication

In Kerberos authentication the Domain Controller acts as the key distribution center for the authentication of a client to a service. The authentication process is as follows,

Stage 1 - Client to Domain Controller (Initial Authentication)

  1. Authentication server request comprising of the time stamp encrypted using the hash derived from the username and password is sent by the client to the DC

  2. If request is successfully decrypted, then the DC responds with Authentication Server Reply that contains a session key and a Ticket Granting Ticket (TGT)

  3. TGT contains - Group memberships, domain, time stamp, IP address of client & session key

  4. TGT is encrypted by the secret key known only to the KDC

Stage 2 - Client to Domain Controller (Service Access)

When the user whishes to access a service on the domain, then the user has to explicitly request for a new ticket that will grant the user access to the desired service. The end goal of this process is to gain a service ticket and a session key for communicating with the SPN.

  1. The user sends a Ticket Granting Service Request containing - user details + time stamp(encrypted using session key) + SPN of the resource + Encrypted TGT

  2. If the requested SPN exists, then,

    1. Decrypt the TGT to get the session key

    2. Use the session key to extract the username + timestamp

  3. The DC responds with the Ticket Granting Server Reply containing - (SPN & SPN Session key) encrypted using TGT session key + (Service ticket) encrypted using SPN password hash

    1. The service ticket also contain details about the group membership

Stage 3 - Client to SPN

Only at stage 3 does an user actually start communication with the SPN.

  1. User sends an application request to the SPN that contains the username & timestamp encrypted with the session key and the service ticket

  2. SPN decrypts the service ticket using the service account password to extract the username and session key

  3. The session key is used to decrypt the application request to extract the username. Only if the username matches with the username in the service ticket will the process progress

  4. The SPN also checks for the group memberships in the service ticket before granting access

Now, from the above process the things that we can aim for,

  • Get a TGT and try to break it to find the password of the Ticket Granting Server

  • Get a service ticket and try to break it to find the password of the SPN

With both the information the user becomes unstoppable within a domain as the user can grant oneself access to any SPN and include the necessary groups.

📂