Kerberos Authentication

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Check the amazing post from: https://www.tarlogic.com/en/blog/how-kerberos-works/

TL;DR kwa wadukuzi

• Kerberos ni itifaki ya default ya uthibitishaji ya AD; mnyororo mwingi wa lateral‑movement utaigusa. Kwa cheatsheets za vitendo (AS‑REP/Kerberoasting, ticket forging, delegation abuse, n.k.) ona: 88tcp/udp - Pentesting Kerberos

Vidokezo vya mashambulizi vipya (2024‑2026)

• RC4 finally going away – DCs za Windows Server 2025 hazitoa tena RC4 TGTs; Microsoft inakusudia kuzima RC4 kama chaguo‑msingi kwa AD DCs kabla ya mwisho wa Q2 2026. Mazingira yanayowasha tena RC4 kwa legacy apps huunda fursa za downgrade/uvunaji wa kasi kwa Kerberoasting.
• PAC validation enforcement (Apr 2025) – masasisho ya Aprili 2025 yanatoa “Compatibility” mode; forged PACs/golden tickets zitatupwa kwenye DCs zilizosanishwa wakati enforcement imewezeshwa. DCs za legacy/zisizopachikwa zinabaki kutumiwa kwa matumizi mabaya.
• CVE‑2025‑26647 (altSecID CBA mapping) – Ikiwa DCs hazijapachikwa au zimeachwa katika Audit mode, certificates zilizofungwa kwenye non‑NTAuth CAs lakini zilizopangwa kupitia SKI/altSecID bado zinaweza kuingia. Events 45/21 zinaonekana wakati ulinzi unapoanza kazi.
• NTLM phase‑out – Microsoft itaweka matoleo ya baadaye ya Windows na NTLM imezimwa kama chaguo‑msingi (katika hatua kupitia 2026), ikisukuma uthibitishaji zaidi kwa Kerberos. Tarajia ongezeko la uso la Kerberos na EPA/CBT kali zaidi katika mitandao iliyoboreshwa.
• Cross‑domain RBCD remains powerful – Microsoft Learn inaonyesha kwamba resource‑based constrained delegation hufanya kazi across domains/forests; writable msDS-AllowedToActOnBehalfOfOtherIdentity kwenye resource objects bado inaruhusu S4U2self→S4U2proxy impersonation bila kugusa front‑end service ACLs.

Zana za haraka

• Rubeus kerberoast (AES default): Rubeus.exe kerberoast /user:svc_sql /aes /nowrap /outfile:tgs.txt — inatoa AES hashes; panga kuvunja kwa GPU au lenga watumiaji walio na pre‑auth disabled badala yake.
• RC4 downgrade target hunting: haga akaunti ambazo bado zinatangaza RC4 kwa Get-ADObject -LDAPFilter '(msDS-SupportedEncryptionTypes=4)' -Properties msDS-SupportedEncryptionTypes ili kupata wagombea dhaifu wa kerberoast kabla RC4 haijaondolewa kabisa.

References

• Microsoft – Beyond RC4 for Windows authentication (RC4 default removal timeline)
• Microsoft Support – Protections for CVE-2025-26647 Kerberos authentication
• Microsoft Support – PAC validation enforcement timeline
• Microsoft Learn – Kerberos constrained delegation overview (cross-domain RBCD)
• Windows Central – NTLM deprecation roadmap

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.