Module 15

Question 1

What is the default domain authentication protocol in Windows since Server 2000, replacing NTLM?

Answer 1

Kerberos.

Question 2

What central, trusted server authenticates principals in a Kerberos system?

Answer 2

The Key Distribution Center (KDC).

Question 3

In a Windows domain, what server role acts as the Kerberos Key Distribution Center (KDC)?

Answer 3

The domain controllers.

Question 4

What are the three sub-components of the Key Distribution Center (KDC)?

Answer 4

A principal database, an Authentication Server (AS), and a Ticket Granting Server (TGS).

Question 5

What is a Ticket Granting Ticket (TGT)?

Answer 5

A ticket provided to a principal by the Authentication Server (AS) after identity verification, used to request service tickets without re-entering a password.

Question 6

What uniquely identifies each service instance in Kerberos?

Answer 6

A Service Principal Name (SPN).

Question 7

What is the typical format of a Service Principal Name (SPN)?

Answer 7

class/instance:port.

Question 8

How does a principal request access to a service using Kerberos after obtaining a TGT?

Answer 8

It requests a service ticket from the Ticket Granting Server (TGS) component of the KDC.

Question 9

What is another colloquial name for a Kerberos ‘service ticket’?

Answer 9

A TGS ticket or ticket granting service ticket.

Question 10

What is a Privileged Attribute Certificate (PAC)?

Answer 10

A structure attached to a Kerberos ticket containing additional information about a principal, such as group memberships and user rights.

Question 11

What is the primary benefit of a service using the information within a PAC?

Answer 11

The service can determine a user’s privileges without needing to query Active Directory, which improves network performance.

Question 12

What message does a client send to the KDC to request a new TGT?

Answer 12

A Kerberos Authentication Service Request (AS-REQ).

Question 13

What is the target service’s name when a client requests a Ticket Granting Ticket (TGT)?

Answer 13

krbtgt.

Question 14

What is the most common pre-authentication mechanism used by a Kerberos client in an AS-REQ?

Answer 14

An encrypted timestamp, where the current time is encrypted with a hash derived from the principal’s password.

Question 15

After a successful pre-authentication, what message does the KDC send back to the client?

Answer 15

An Authentication Service Reply (AS-REP).

Question 16

The part of an AS-REP message that contains a copy of the logon session key encrypted with the principal’s secret is called the _____.

Answer 16

EncASRepPart.

Question 17

The Kerberos attack known as AS-REP Roasting involves cracking which part of the AS-REP message?

Answer 17

The EncASRepPart, to recover the user’s plaintext password.

Question 18

What is the purpose of the ‘authenticator’ included in a TGS-REQ message?

Answer 18

It proves the TGS-REQ is from the genuine principal, as it is encrypted with the logon session key that is never transmitted in the clear.

Question 19

With what key does a client encrypt the ‘authenticator’ in a TGS-REQ message?

Answer 19

The principal’s current logon session key.

Question 20

Upon receiving a TGS-REQ, what must the KDC decrypt first to recover the logon session key and validate the request?

Answer 20

The Ticket Granting Ticket (TGT), using the krbtgt account’s hash.

Question 21

The Kerberos attack known as ‘Kerberoasting’ involves cracking which part of the TGS-REP message?

Answer 21

The EncTicketPart of the service ticket, which is encrypted with the service account’s secret.

Question 22

What two items does a client use to access a service in the final Client/Server Authentication Exchange?

Answer 22

The service ticket and the associated service session key.

Question 23

The final authentication messages (AP-REQ/AP-REP) are embedded inside the underlying service protocol, facilitated by what mechanism on Windows?

Answer 23

The Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO).

Question 24

What is the purpose of mutual authentication in the client/server exchange?

Answer 24

It proves to the client that it is communicating with the legitimate service, as only that service can decrypt the authenticator and correctly respond.

Question 25

What is Kerberos 'delegation'?

Answer 25

A feature that allows one principal (a service) to request access to resources on behalf of another principal (a user).

Question 26

What is the oldest and most dangerous type of Kerberos delegation?

Answer 26

Unconstrained Delegation.

Question 27

How is Unconstrained Delegation enabled on a computer object's UserAccountControl attribute?

Answer 27

By setting the TRUSTED_FOR_DELEGATION flag.

Question 28

What type of Kerberos ticket does a client send to a service that is configured for unconstrained delegation?

Answer 28

A copy of the user's Ticket Granting Ticket (TGT).

Question 29

What is the main security risk of compromising a computer configured for unconstrained delegation?

Answer 29

An adversary can extract cached TGTs from memory and use them to access any service in the domain as those users.

Question 30

What Rubeus command can be used to capture TGTs as users authenticate to a service on a compromised host?

Answer 30

The `monitor` command.

Question 31

What two Kerberos extensions, introduced in Server 2003, form the basis of constrained delegation?

Answer 31

Service for User to Proxy (S4U2proxy) and Service for User to Self (S4U2self).

Question 32

Which S4U extension allows a service to obtain a service ticket on behalf of a user to a *different* service?

Answer 32

Service for User to Proxy (S4U2proxy).

Question 33

Which S4U extension allows a service to obtain a service ticket on behalf of a user to *itself*?

Answer 33

Service for User to Self (S4U2self).

Question 34

What is the term for using S4U2self when a user authenticates to a service with a protocol other than Kerberos?

Answer 34

Protocol Transition.

Question 35

Constrained delegation is configured via the _____ attribute of a computer object, which lists the SPNs it can delegate to.

Answer 35

msDS-AllowedToDelegateTo.

Question 36

What UserAccountControl flag must be set on a computer object to enable protocol transition for constrained delegation?

Answer 36

TRUSTED_TO_AUTH_FOR_DELEGATION.

Question 37

When attacking constrained delegation with protocol transition enabled, what can an adversary do?

Answer 37

Impersonate any user in the domain to request a service ticket for the allowed back-end service.

Question 38

When attacking constrained delegation without protocol transition, what is required to perform an S4U2proxy request?

Answer 38

An adversary must obtain a service ticket that a user has legitimately requested for the front-end service.

Question 39

In the Rubeus `s4u` command, what is the purpose of the `/impersonateuser` parameter?

Answer 39

It specifies the user account to impersonate, used when protocol transition is enabled.

Question 40

In the Rubeus `s4u` command, what is the purpose of the `/tgs` parameter?

Answer 40

It provides a captured front-end service ticket for a user, used when protocol transition is not enabled.

Question 41

What is the 'Service Name Substitution' technique in Kerberos?

Answer 41

An attack where an adversary overwrites the unencrypted Service Principal Name (SPN) field in a valid service ticket with another SPN.

Question 42

What is the primary condition for the Service Name Substitution attack to work?

Answer 42

Both the original and the substituted services must be running under the context of the same account.

Question 43

In Rubeus, which parameter is used to perform Service Name Substitution during an S4U attack?

Answer 43

The `/altservice` parameter.

Question 44

What type of Kerberos ticket is required to access remote filesystems via the SMB protocol?

Answer 44

A CIFS service ticket.

Question 45

What type of Kerberos ticket is required to use Windows Remote Management (WinRM)?

Answer 45

An HTTP service ticket.

Question 46

What type of Kerberos ticket is required to access Remote Desktop Protocol (RDP)?

Answer 46

A TERMSRV or HOST service ticket.

Question 47

What technique can be used to force a computer, like a domain controller, to authenticate to an attacker-controlled machine?

Answer 47

A remote authentication trigger, such as SpoolSample or PetitPotam.

Question 48

Why does obtaining a computer account's TGT not immediately grant an attacker administrative access to that computer?

Answer 48

Because computer accounts do not have remote administrative access to themselves by default.

Question 49

What is the technique to gain control of a computer after capturing its TGT?

Answer 49

Use S4U2self to obtain a service ticket for an impersonated user (like Administrator) to a service on that same computer.

Question 50

In the Rubeus `s4u` command, what does the `/self` parameter do?

Answer 50

It tells Rubeus to perform an S4U2self request but not a subsequent S4U2proxy request, used for the computer takeover technique.

Question 51

The S4U2self computer takeover combines S4U2self with what other Kerberos attack technique?

Answer 51

Service Name Substitution (using the `/altservice` parameter).

Question 52

What is Resource-Based Constrained Delegation (RBCD)?

Answer 52

A form of delegation where the back-end service controls which front-end services can delegate to it.

Question 53

Which Active Directory attribute is used to configure Resource-Based Constrained Delegation (RBCD)?

Answer 53

The `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute on the back-end service's account.

Question 54

What is the main administrative benefit of RBCD over traditional constrained delegation?

Answer 54

It puts delegation control in the hands of the back-end service administrators, who no longer need the `SeEnableDelegationPrivilege` right.

Question 55

What are the two conditions an adversary must meet to abuse RBCD for computer takeover?

Answer 55

1. Write access to the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute of a computer. 2. Control of another principal that has an SPN set.

Question 56

In an RBCD attack, what is the purpose of performing an S4U2self request?

Answer 56

To get a service ticket for an impersonated user (e.g., Administrator) to the attacker-controlled principal.

Question 57

In an RBCD attack, what is the purpose of performing an S4U2proxy request?

Answer 57

To use the ticket from S4U2self to obtain a service ticket for the target computer (the back-end service) as the impersonated user.

Question 58

What is the default value for the `msDS-MachineAccountQuota` attribute in Active Directory?

Answer 58

10, meaning a standard domain user can create up to 10 computer accounts.

Question 59

How can an attacker fulfill the 'principal with an SPN' requirement for an RBCD attack if they lack other credentials?

Answer 59

By creating a new computer account in the domain, leveraging the default `msDS-MachineAccountQuota`.

Question 60

What is the PowerShell cmdlet used to set the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute for RBCD?

Answer 60

`Set-ADComputer` with the `-PrincipalsAllowedToDelegateToAccount` parameter.

Question 61

In the Kerberos authentication flow, what key is used to encrypt the TGT?

Answer 61

The KDC's secret, which is the password hash of the `krbtgt` account.

Question 62

What information does the KDC include from the TGT when creating a service ticket?

Answer 62

It includes a copy of the Privileged Attribute Certificate (PAC) from the TGT into the new service ticket by default.

Question 63

What key is used to encrypt a service ticket's `EncTicketPart`?

Answer 63

The secret (password hash) of the service account to which the SPN is associated.

Question 64

In a TGS-REP, what key is used to encrypt the service session key for the client's use?

Answer 64

The client's logon session key from the original AS exchange.

Question 65

What is the GUID for the `ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity` attribute, used for finding RBCD abuse primitives?

Answer 65

3f78c3e5-f79a-46bd-a0b8-9d18116ddc79.

Question 66

A service ticket for which protocol is needed to run a binary via the Service Control Manager using PsExec?

Answer 66

CIFS.

Question 67

To execute applications on a remote target using WMI, what service ticket(s) would be required?

Answer 67

RPCSS, HOST, and/or RestrictedKrbHost.