# Kerberos\_AD

## Kerberos process: 

C1. AS-REG1 -> Ticket Flags + username - service name (TGT) + Realm

K2. Preauth-Required -> stime + salt + error code

C3. AS-REG2 (TGT) -> cname + sname + timestamp <- encrypted with user's hash

K4. AS-REP (TGT)<mark style="color:green;">:</mark>

*<mark style="color:green;">-> session key: sname + realm <- Encrypted using user's hash</mark>*&#x20;

*<mark style="color:green;">-> TGT: username + Realm + Session key + Timestamp + Lifetime + PAC data <- Encrypted using krbtgt key</mark>*

C5. TGS-REG (TGS)<mark style="color:purple;">:</mark>&#x20;

*<mark style="color:purple;">-> TGS-REG: sname + SPN -> TGT <- Encrypted using krbtgt key</mark>*&#x20;

*<mark style="color:purple;">-> TGT <- Encrypted using krbtgt key</mark>*

*<mark style="color:purple;">-> Authenticator: username + timestamp <- Encrypted using session key</mark>*

K6. TGS-REP (TGS)<mark style="color:blue;">:</mark>&#x20;

*<mark style="color:blue;">-> service session key: sname + realm <- Encrypted using session key</mark>*&#x20;

*<mark style="color:blue;">-> TGS: username + realm + service session key + timestamp + lifetime + PAC data <- Encrypted using sql service key</mark>*

C7. AP-REG (TGS)<mark style="color:yellow;">:</mark>

*<mark style="color:yellow;">-> Authenticator: username + timestamp <- Encrypted using service session key</mark>*&#x20;

*<mark style="color:yellow;">-> TGS <- Encrypted using sql service key</mark>*

S8. AP-REP -> DONE

***

### Kerberoasting: definition:

* request RC4 encryption when performing the attack and initiating TGS-REQ requests. This is because RC4 is weaker

Detect:

* 4769: A Kerberos service ticket (TGS) was requested
* 4770: A Kerberos service ticket was renewed
* 0x40810000 & 0x17
* Looking for TGS-REQ packets with RC4 encryption
* powershell => solution: 400 & 800 & logging solution: 4100, 4103, 4104

***

### As-rep Roasting: definition:

* Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages

Detect:

* Windows Event ID 4768: Kerberos authentication ticket (TGT) was requested
* Event ID: 4771 - Kerberos Pre-Authentication Failed
* Code: 0x19

***

### Pass the ticket: definition:

* Exploits Kerberos authentication tickets, allowing an attacker to use the identity associated with the ticket to access network resources without needing the user's password

Detect:

* Event ID 4624 (An account was successfully logged on) Logon Type 3

***

Pass the hash: definition:

* Use password hashes (NTLM hashes) for authentication instead of the password itself.

Detect:

* Event ID 4624 (An account was successfully logged on) Logon Type 3

***

### Silver Ticket: definition:

* Exploits specific privileges within the Windows network. In this attack, the attacker obtains a forged service ticket (TGS) to access certain services within the Active Directory environment without having to interact with the Key Distribution Center (KDC).&#x20;

### Golden Ticket: definition:

* It is a forged TGT that an attacker can create after obtaining the Kerberos keys. They can be used to access any service within the network without having to log in legitimately.