watching the watchdog protecting kerberos · kdc waza 1234/ user1 des_cbc_md5 f8fd987fa7153185...
TRANSCRIPT
![Page 1: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/1.jpg)
Tal Be’ery, Sr. Security Research Mgr.Michael Cherny, Sr. Security Researcher
Watching the WatchdogProtecting Kerberos
![Page 2: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/2.jpg)
![Page 3: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/3.jpg)
![Page 4: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/4.jpg)
![Page 5: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/5.jpg)
![Page 6: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/6.jpg)
Therefore, attackers must attack the Kerberosprotocol!
![Page 7: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/7.jpg)
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
![Page 8: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/8.jpg)
![Page 9: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/9.jpg)
![Page 10: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/10.jpg)
![Page 11: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/11.jpg)
![Page 12: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/12.jpg)
![Page 13: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/13.jpg)
![Page 14: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/14.jpg)
![Page 15: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/15.jpg)
![Page 16: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/16.jpg)
![Page 17: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/17.jpg)
admin123
![Page 18: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/18.jpg)
![Page 19: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/19.jpg)
wrongpassword
![Page 20: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/20.jpg)
![Page 21: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/21.jpg)
P@$$w0rd1
![Page 22: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/22.jpg)
![Page 23: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/23.jpg)
https://twitter.com/gentilkiwi/status/556246876505509888
![Page 24: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/24.jpg)
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
![Page 25: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/25.jpg)
KDC
waza1234/
User1
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..
user1 cc36cf7a…
1a7ddc…
Doe
TGT
![Page 26: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/26.jpg)
![Page 27: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/27.jpg)
RC4-HMAC does not have any!
RC4-HMAC does not have any!https://commons.wikimedia.org/wiki/File:Jodsalz_mit_Fluor_und_Folsaeure.jpg
![Page 28: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/28.jpg)
![Page 29: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/29.jpg)
![Page 30: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/30.jpg)
KDC
User1
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
aes128_hmac
aes256_hmac
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..
user1 cc36cf7… 1a7dd…
![Page 31: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/31.jpg)
KDC
User1
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
aes128_hmac
aes256_hmac
user rc4_hmac_nt
aes256_hmac
Joe 21321…
ffe34d…
543df..
user1 cc36cf…
ffe34d…
1a7dd…
TGT
ff687678....
Skeleton
![Page 32: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/32.jpg)
![Page 33: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/33.jpg)
![Page 34: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/34.jpg)
![Page 35: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/35.jpg)
https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
![Page 36: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/36.jpg)
![Page 37: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/37.jpg)
![Page 38: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/38.jpg)
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
![Page 39: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/39.jpg)
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in TGT)
CHECKSUM_SRV – HMAC_SHA1 - krbtgt3f..
CHECKSUM_KDC – HMAC_MD5 - krbtgtB6..
https://commons.wikimedia.org/wiki/File:Identification_card_JAPAN.jpg
![Page 40: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/40.jpg)
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
PAC
PAC
PAC
![Page 41: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/41.jpg)
https://commons.wikimedia.org/wiki/File:MAC.svg
![Page 42: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/42.jpg)
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in TGT)
CHECKSUM_SRV – HMAC_SHA1 - krbtgt3f..
CHECKSUM_KDC – HMAC_MD5 - krbtgtB6..
![Page 43: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/43.jpg)
![Page 44: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/44.jpg)
Krbtgtkey,
Ticket details
LSASS
(Kerberos)
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageAttacker
Server
TGT
Exploit
(Mimikatz)
AD
![Page 45: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/45.jpg)
![Page 46: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/46.jpg)
![Page 47: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/47.jpg)
![Page 48: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/48.jpg)
![Page 49: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/49.jpg)
![Page 50: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/50.jpg)
![Page 51: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/51.jpg)
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in TGT)
CHECKSUM_SRV – HMAC_SHA1 - krbtgt3f..
CHECKSUM_KDC – HMAC_MD5 - krbtgtB6..
https://commons.wikimedia.org/wiki/File:Identification_card_JAPAN.jpg
![Page 52: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/52.jpg)
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
PAC
PAC
PAC
![Page 53: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/53.jpg)
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in Service Ticket)
CHECKSUM_SRV – HMAC_SHA1 – CIFS/Server2a..
CHECKSUM_KDC – HMAC_MD5 - krbtgt56..
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in TGT)
CHECKSUM_SRV – HMAC_SHA1 - krbtgt3f..
CHECKSUM_KDC – HMAC_MD5 - krbtgtB6..
![Page 54: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/54.jpg)
https://commons.wikimedia.org/wiki/File:MAC.svg
![Page 55: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/55.jpg)
![Page 56: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/56.jpg)
![Page 57: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/57.jpg)
KDC
KDC
TGT
TGS
③ TGS-REQ (server)
④ TGS-REP
⑤ Usage
Server
waza1234/
UserExploit
PAC
PAC
PAC
![Page 58: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/58.jpg)
![Page 59: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/59.jpg)
KDC
KDC
TGT
‘TGT’
③ TGS-REQ (KRBTGT)
④ TGS-REP
pUsage
Server
waza1234/
UserExploit
PAC
PAC
PAC
KDC
TGS
nTGS-REQ (Server)
oTGS-REPPAC
![Page 60: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/60.jpg)
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in Service Ticket)
CHECKSUM_SRV – HMAC_SHA1 –CIFS/Server2a..
CHECKSUM_KDC – HMAC_MD5 - krbtgt56..
Username : AdministratorDomain SIDS-1-5-21-4014832156-2573456389-2040062157User ID500 AdministratorGroups ID512 Domain Admins519 Enterprise Admins518 Schema Admins…
PAC (in “TGT”)
CHECKSUM_SRV – MD5 – no key3f..
CHECKSUM_KDC – MD5 – no keyB6..
![Page 61: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/61.jpg)
![Page 62: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/62.jpg)
![Page 63: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/63.jpg)
![Page 64: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/64.jpg)
![Page 65: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/65.jpg)
Diamond Photograph courtesy of the U.S. Geological Survey
![Page 66: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/66.jpg)
![Page 67: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/67.jpg)
KDC
KDC
TGT
‘TGT’
③ TGS-REQ (KRBTGT)
④ TGS-REP
pUsage
Server
waza1234/
UserExploit
PAC
PAC
KDC
TGS
nTGS-REQ (Server)
oTGS-REP
ExploitPAC
PAC
PAC
PAC
![Page 68: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/68.jpg)
![Page 69: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/69.jpg)
![Page 70: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/70.jpg)
![Page 71: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/71.jpg)
![Page 72: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/72.jpg)
![Page 73: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/73.jpg)
![Page 74: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/74.jpg)
![Page 75: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/75.jpg)
stealing
forge
![Page 76: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/76.jpg)
https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
![Page 77: Watching the Watchdog Protecting Kerberos · KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac](https://reader034.vdocuments.us/reader034/viewer/2022050421/5f90de54f482392a7e2b5900/html5/thumbnails/77.jpg)