🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • AS-REQ
  • AS-REP
  • TGS-REQ
  • TGS-REP
  • AP-REQ
  • AP-REP
  1. Windows

Kerberos Authentication

PreviousNTLM AuthenticationNextCached Credentials

Last updated 7 months ago

AS-REQ

  • The client sends a request with its username and timestamp which are encrypted by default due to Pre-Authentication. This encryption uses the client key, which is derived from the user's password and username.

AS-REP

  • A session key encrypted using the client key, the session key is shared between the client and the TGS.

  • The Ticket Granting Ticket (TGT), encrypted using the KDC key which derived from the krbtgt hash. The TGT contains information about the user, the domain, a timestamp, the IP address of the client and the session key

TGS-REQ

Now that the client has the TGT, it sends a request to the Ticket Granting Service (TGS). This request includes:

  • The TGT and the requested service identifier.

  • username and timestamp which usually encrypted with the session key.

TGS-REP

Before the TGS replies it checks the following

  1. The TGT must have a valid timestamp.

  2. The username from the TGS-REQ has to match the username from the TGT.

  3. The client IP address needs to coincide with the TGT IP address.

if the verification was successful the TGS replies with a TGS-REP request which includes the following messages:

  • Another session key AKA Service Key, specific to the communication between the client and the application server.

  • A Service Ticket encrypted with the application server's private key. The Service Ticket includes the following:

    • Client’s username.

    • Client’s IP Address.

    • Validity Period: When the service ticket expires.

    • Service Session Key.

AP-REQ

The client finally contacts the Application Server, sending:

  • The Service Ticket.

  • An encrypted timestamp.

AP-REP

The application server decrypts the Service ticket and verifies the username matches the one in the encrypted Service Ticket.

  • if the verification was successful, the application server replies with a timestamp encrypted the service session key.

Drawing