HackTricks
Uthibitishaji wa Kerberos
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Angalia chapisho bora kutoka kwa: https://www.tarlogic.com/en/blog/how-kerberos-works/
Muhtasari kwa wadukuzi
- Kerberos ni default AD auth protocol; mnyororo wa wengi wa lateral‑movement utakutana nayo. Kwa cheatsheets za vitendo (AS‑REP/Kerberoasting, ticket forging, delegation abuse, n.k.) angalia: 88tcp/udp - Pentesting Kerberos
Vidokezo vya mashambulizi vipya (2024‑2026)
- RC4 hatimaye inaondoka – Windows Server 2025 DCs hawatoi tena RC4 TGTs; Microsoft inapanga kuzima RC4 kama default kwa AD DCs ifikapo mwisho wa Q2 2026. Mazingira yanayoirudisha RC4 kwa programu za zamani hutoa fursa za downgrade/uvunjaji wa haraka kwa Kerberoasting.
- Utekelezaji wa PAC validation (Apr 2025) – Sasisho za Aprili 2025 zinaondoa “Compatibility” mode; PAC zilizotengenezwa/golden tickets zinakataliwa kwenye DC zilizopachikwa wakati enforcement imewezeshwa. DC za zamani/zisizopachikwa bado zinaweza kutumika.
- CVE‑2025‑26647 (altSecID CBA mapping) – Ikiwa DC ziko zisizopachikwa au zimetengwa katika Audit mode, vyeti (certificates) vilivyofungamana na non‑NTAuth CAs lakini vilivyopangwa kupitia SKI/altSecID bado vinaweza kuingia. Matukio Events 45/21 yanaonekana wakati kinga zinapoanzishwa.
- Kuondolewa kwa NTLM kwa awamu – Microsoft itasafirisha matoleo yajayo ya Windows yenye NTLM imezimwa kwa default (itekelezwe hadi 2026), ikisukuma uthibitishaji zaidi kwa Kerberos. Tarajia wigo kubwa zaidi wa Kerberos na EPA/CBT kali katika mitandao iliyoimarishwa.
- Cross‑domain RBCD bado ni yenye nguvu – Microsoft Learn inaonyesha kwamba resource‑based constrained delegation inafanya kazi across domains/forests; writable
msDS-AllowedToActOnBehalfOfOtherIdentitykwenye resource objects bado inaruhusu S4U2self→S4U2proxy impersonation bila kugusa front‑end service ACLs.
Zana za haraka
- Rubeus kerberoast (AES default):
Rubeus.exe kerberoast /user:svc_sql /aes /nowrap /outfile:tgs.txt— hutoka AES hashes; panga uvunjaji kwa GPU au lenga watumiaji walio na pre‑auth imezimwa badala yake. - RC4 downgrade target hunting: orodhesha akaunti ambazo bado zinatangaza RC4 kwa kutumia
Get-ADObject -LDAPFilter '(msDS-SupportedEncryptionTypes=4)' -Properties msDS-SupportedEncryptionTypesili kupata wagombea dhaifu wa kerberoast kabla RC4 haijatolewa kabisa.
References
- Microsoft – Beyond RC4 for Windows authentication (RC4 default removal timeline)
- Microsoft Support – Protections for CVE-2025-26647 Kerberos authentication
- Microsoft Support – PAC validation enforcement timeline
- Microsoft Learn – Kerberos constrained delegation overview (cross-domain RBCD)
- Windows Central – NTLM deprecation roadmap
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.