Kerberos

• https://www.roguelynn.com/words/explain-like-im-5-kerberos/

• https://vbscrub.com/2020/05/13/kerberos-protocol-explained/

• https://www.tarlogic.com/en/blog/how-kerberos-works/

• https://www.tarlogic.com/en/blog/how-to-attack-kerberos/

• https://www.tarlogic.com/en/blog/kerberos-iii-how-does-delegation-work/

• https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

• https://habr.com/ru/company/tomhunter/blog/507140/

• https://habr.com/ru/company/tomhunter/blog/509290/

• https://ardent101.github.io/posts/kerberos_theory/

• https://ardent101.github.io/posts/kerberos_general_attacks/

• https://habr.com/ru/articles/803163/

Common Tool Errors - KerberosZephrSec - Adventures In Information Security

Synchronize Time

Using ntpdate:

Using faketime:

Using LDAP:

Describe Tickets

• https://github.com/YossiSassi/Get-KerberosServiceTicketAudit

Using describeTicket.py:

Decrypt KRB5 Traffic

• https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/

• https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7

Kerberos on Linux

• https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory

Check KRB5CCNAME environment variable contents:

Request TGT supplying password:

List available SPNs:

Request TGS for MSSQL service:

Re-using keytab files to load and renew a TGT:

Re-using ccache files:

FreeIPA

• https://tishina.in/ops/freeipa-postexploitation

• https://habr.com/ru/companies/rvision/articles/825086/

A blog series by @n0pe_sled on attacking FreeIPA:

• Building a FreeIPA Lab

• Attacking FreeIPA — Part I Authentication

• Attacking FreeIPA — Part II Enumeration

• Attacking FreeIPA — Part III: Finding A Path

• Attacking FreeIPA — Part IV: CVE-2020–10747

• https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting