📄️ Kerberoasting
Kerberoasting is a privilege escalation technique that exploits Kerberos authentication to obtain service account credentials. The attack targets accounts with a configured Service Principal Name (SPN), a unique identifier in Active Directory used to associate a service with a specific account. Attackers request service tickets (TGS), extract the encrypted password hashes, and attempt offline cracking to gain unauthorized access.
📄️ Access Control List (ACL)
Access Control Lists (ACLs) define permissions for objects like users, groups, and computers. They consist of Access Control Entries (ACEs) that specify allowed or denied actions for security principals. ACLs help enforce security by restricting or granting access to AD resources.
📄️ Few Lateral Movements
Windows domain movement can be done through:
📄️ Kerberos Double-Hop Problem
The Kerberos double-hop problem happens when a user logs into a system and tries to access a second system, but authentication fails because Kerberos doesn’t automatically allow credentials to be passed twice (or "hopped" twice).
📄️ Clock skew too great
To solve the error Kerberos SessionError
📄️ Kerberos Realm File Creation
We can use netexec to generate /etc/krb5.conf file:
📄️ Bleeding Edge Vulnerabilities
NoPac (SamAccountName Spoofing)
📄️ Misconfigurations Abuse
Exchange Related Group Membership
🗃️ Domain Trusts
2 items
📄️ Stealing Hashes
A common technique for compromising accounts involves stealing NTLMv2 password hashes by tricking a user or system into authenticating with a malicious shared folder. This can be done using a shortcut file with an icon that points to the attacker's folder—when accessed, the system tries to load the icon, triggering authentication and sending the hash. The stolen hash can then be cracked with tools like Hashcat or relayed to impersonate the user.