Describe Active Directory
Active Directory (AD) is a directory service for Windows networks, enabling centralized management of resources such as users, computers, groups, and network devices. It provides authentication and authorization within a Windows domain environment.
Describe Kerberoasting
Kerberoasting is a technique used to attack service accounts in a Windows Active Directory (AD) environment. It targets service tickets issued by the Key Distribution Center (KDC) in the Kerberos authentication protocol.
What is the most basic unit of data in Active Directory.
The object
What is a sub-domain takeover?
A subdomain takeover occurs when an attacker gains control over a subdomain that is still pointing to a resource (such as a server or service) that has been deleted or is no longer in use.
Describe the Kerbrute tool and its functionalities.
Kerbrute is an open-source tool used for brute-forcing Kerberos authentication in Active Directory environments. It can used for username enumeration, password brute-forcing and ticket extraction.
How does Kerberos authentication work in Active Directory?
- Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC)
- The KDC verifies the credentials and sends back an encrypted TGT and session key
- The TGT is encrypted using the Ticket Granting Service (TGS) secret key
- The client stores the TGT and when it expires the local session manager will request another TGT (this process is transparent to the user)
If the client is requesting access to a service or another resource on the network: - The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
- The KDC verifies the TGT of the user and that the user has access to the service
- TGS sends a valid session key for the service to the client
- Client forwards the session key to the service to prove the user has access, and the service grants access.
How is Kerberos more secure than NTML authentication?
Kerberos, as opposed to an authentication system like NTLM, uses third-party verification (the Key Distribution Center) and stronger encryption that makes Kerberos more secure compared to NTLM alone.
How do you mitigate the risk of Kerberoasting?
- Use long complex passwords
- Use MSA accounts
- Use AES encryption as opposed to RC4
- Do not give service accounts special permissions such as local or domain admin rights
Describe Managed Service Accounts (MSAs) in Active Directory.
The MSA is a special type of account for which the AD generates a complex password (240 characters) and automatically changes the password every 30 days. MSA cannot be used for interactive login, the password is not known to anyone and is not stored on the local system (you cannot extract the password from the LSASS system process using mimikatz or similar tools).
How does Responder work?
Responder is a tool used for LLMNR, NBT-NS, and MDNS poisoning, as well as exploiting protocols like WPAD and HTTP. It listens for broadcast queries for hostnames on the local subnet and responds with its own IP address, causing the querying machine to send authentication credentials (e.g., NetNTLMv2 hashes) to the attacker.
How does NTLM Relaying work?
NTLM relaying is an attack where an attacker intercepts and forwards NTLM authentication requests to another computer that accepts the same credentials, often using tools like Responder and ntlmrelayx. The attacker relays the credentials to authenticate without decrypting them, gaining unauthorized access. This attack is effective when SMB signing or other mitigations are not enabled, but can still work with protocols like HTTP(S) and LDAP(S) that use NTLM.
Describe the difference between TCP and UDP.
TCP is a connection oriented protocol that uses a 3 way handshake to ensure communications are reliable.
UDP is a connectionless protocol that prioritizes speed over reliability.
In short, TCP is reliable and ensures accurate delivery, while UDP is faster but doesn’t guarantee delivery or order.
Silver Ticket
In Active Directory, a Silver Ticket is a forged Service Ticket (TGS) that allows an attacker to authenticate as any user (usually a fake Domain Admin) to a specific, single service on a target server.
Golden Ticket
In Active Directory, a Golden Ticket is a forged Ticket-Granting Ticket (TGT) that grants an attacker permanent, administrative access to every resource in a Windows domain.
It’s the “holy grail” of Active Directory persistence because it allows an attacker to bypass all standard authentication and security controls by impersonating the Key Distribution Center (KDC) itself.
