Kerberos and NTLM Security Vulnerabilities

5.

Kerberos Security Vulnerabilities

5.1.

Kerberoasting Attacks

5.1.1.

SPN Enumeration

5.1.1.1.

LDAP Queries for SPNs

5.1.1.2.

PowerShell SPN Discovery

5.1.1.3.

Automated SPN Scanning

5.1.2.

Service Ticket Requests

5.1.2.1.

TGS-REQ Crafting

5.1.2.2.

Ticket Request Automation

5.1.2.3.

Bulk Ticket Requests

5.1.3.

Ticket Extraction and Cracking

5.1.3.1.

Ticket Format Analysis

5.1.3.2.

Hash Extraction Tools

5.1.3.3.

Offline Password Cracking

5.1.3.4.

Weak Password Exploitation

5.2.

AS-REP Roasting

5.2.1.

Pre-authentication Bypass

5.2.1.1.

Accounts with Pre-auth Disabled

5.2.1.2.

AS-REQ without Pre-auth

5.2.1.3.

AS-REP Response Capture

5.2.2.

Hash Extraction and Cracking

5.2.2.1.

AS-REP Hash Format

5.2.2.2.

Offline Cracking Techniques

5.2.2.3.

Password Policy Impact

5.3.

Pass-the-Ticket Attacks

5.3.1.

5.3.1.1.

Memory-based Ticket Extraction

5.3.1.2.

File-based Ticket Storage

5.3.1.3.

Ticket Cache Access

5.3.2.

Ticket Injection

5.3.2.1.

LSASS Ticket Injection

5.3.2.2.

Kerberos Ticket Cache Manipulation

5.3.2.3.

Cross-Session Ticket Usage

5.3.3.

Privilege Escalation

5.3.3.1.

High-Privilege Ticket Abuse

5.3.3.2.

Service Account Impersonation

5.4.

Golden Ticket Attacks

5.4.1.

KRBTGT Compromise

5.4.1.1.

KRBTGT Account Significance

5.4.1.2.

Hash Extraction Methods

5.4.1.3.

Persistence Through KRBTGT

5.4.2.

Forged TGT Creation

5.4.2.1.

TGT Structure Manipulation

5.4.2.2.

Custom Privilege Assignment

5.4.2.3.

Extended Ticket Lifetime

5.4.3.

Domain Persistence

5.4.3.1.

Unrestricted Domain Access

5.4.3.2.

Stealth and Detection Evasion

5.4.3.3.

Cross-Domain Movement

5.5.

Silver Ticket Attacks

5.5.1.

Service Account Compromise

5.5.1.1.

Service Hash Acquisition

5.5.1.2.

Target Service Identification

5.5.1.3.

Service-Specific Exploitation

5.5.2.

Forged Service Ticket Creation

5.5.2.1.

Service Ticket Manipulation

5.5.2.2.

Custom Authorization Data

5.5.2.3.

Service-Specific Access

5.5.3.

Targeted Service Access

5.5.3.1.

Single Service Compromise

5.5.3.2.

Reduced Detection Footprint

5.5.3.3.

Lateral Movement Facilitation

5.6.

Delegation Attacks

5.6.1.

Unconstrained Delegation

5.6.1.1.

Delegation Configuration

5.6.1.2.

TGT Capture from Clients

5.6.1.3.

Privilege Escalation Paths

5.6.2.

Constrained Delegation

5.6.2.1.

Protocol Transition Abuse

5.6.2.2.

S4U2Self and S4U2Proxy

5.6.2.3.

Service Impersonation

5.6.3.

Resource-Based Constrained Delegation

5.6.3.1.

RBCD Configuration Abuse

5.6.3.2.

Computer Account Manipulation

5.6.3.3.

Privilege Escalation Techniques

5.7.

Advanced Kerberos Attacks

5.7.1.

Skeleton Key Attack

5.7.1.1.

LSASS Memory Patching

5.7.1.2.

Master Password Implementation

5.7.1.3.

Domain-wide Backdoor

5.7.2.

DCShadow Attack

5.7.2.1.

Rogue Domain Controller

5.7.2.2.

Directory Replication Abuse

5.7.2.3.

Stealth Persistence

5.7.3.

5.7.3.1.

Directory Replication Rights

5.7.3.2.

Credential Extraction

5.7.3.3.

KRBTGT Hash Acquisition

Previous

4. Kerberos Protocol Fundamentals

Go to top

Next

6. Attack Methodology and Lateral Movement