Skip to content

Commit a3686fb

Browse files
carlospolopcarlospolop
authored
Merge pull request #1869 from HackTricks-wiki/research_update_src_windows-hardening_active-directory-methodology_kerberos-authentication_20260207_023200
Research Update Enhanced src/windows-hardening/active-direct...
2 parents 506b9fd + 8348151 commit a3686fb

1 file changed

Lines changed: 25 additions & 0 deletions

File tree

src/windows-hardening/active-directory-methodology/kerberos-authentication.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,29 @@
44

55
**Check the amazing post from:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
66

7+
## TL;DR for attackers
8+
- Kerberos is the default AD auth protocol; most lateral-movement chains will touch it. For hands‑on cheatsheets (AS‑REP/Kerberoasting, ticket forging, delegation abuse, etc.) see:
9+
{{#ref}}
10+
../../network-services-pentesting/pentesting-kerberos-88/README.md
11+
{{#endref}}
12+
13+
## Fresh attack notes (2024‑2026)
14+
- **RC4 finally going away** – Windows Server 2025 DCs no longer issue RC4 TGTs; Microsoft plans to disable RC4 as default for AD DCs by end of Q2 2026. Environments that re‑enable RC4 for legacy apps create downgrade/fast‑crack opportunities for Kerberoasting.
15+
- **PAC validation enforcement (Apr 2025)** – April 2025 updates remove “Compatibility” mode; forged PACs/golden tickets get rejected on patched DCs when enforcement is enabled. Legacy/unpatched DCs remain abusable.
16+
- **CVE‑2025‑26647 (altSecID CBA mapping)** – If DCs are unpatched or left in Audit mode, certificates chained to non‑NTAuth CAs but mapped via SKI/altSecID can still log on. Events 45/21 appear when protections trigger.
17+
- **NTLM phase‑out** – Microsoft will ship future Windows releases with NTLM disabled by default (staged through 2026), pushing more auth to Kerberos. Expect more Kerberos surface area and stricter EPA/CBT in hardened networks.
18+
- **Cross‑domain RBCD remains powerful** – Microsoft Learn notes that resource‑based constrained delegation works across domains/forests; writable `msDS-AllowedToActOnBehalfOfOtherIdentity` on resource objects still allows S4U2self→S4U2proxy impersonation without touching front‑end service ACLs.
19+
20+
## Quick tooling
21+
- **Rubeus kerberoast (AES default)**: `Rubeus.exe kerberoast /user:svc_sql /aes /nowrap /outfile:tgs.txt` — outputs AES hashes; plan for GPU cracking or target pre‑auth disabled users instead.
22+
- **RC4 downgrade target hunting**: enumerate accounts that still advertise RC4 with `Get-ADObject -LDAPFilter '(msDS-SupportedEncryptionTypes=4)' -Properties msDS-SupportedEncryptionTypes` to locate weak kerberoast candidates before RC4 is fully disabled.
23+
24+
25+
26+
## References
27+
- [Microsoft – Beyond RC4 for Windows authentication (RC4 default removal timeline)](https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication)
28+
- [Microsoft Support – Protections for CVE-2025-26647 Kerberos authentication](https://support.microsoft.com/en-gb/topic/protections-for-cve-2025-26647-kerberos-authentication-5f5d753b-4023-4dd3-b7b7-c8b104933d53)
29+
- [Microsoft Support – PAC validation enforcement timeline](https://support.microsoft.com/en-us/topic/how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1)
30+
- [Microsoft Learn – Kerberos constrained delegation overview (cross-domain RBCD)](https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview)
31+
- [Windows Central – NTLM deprecation roadmap](https://www.windowscentral.com/microsoft/windows/microsoft-plans-to-bury-its-ntlm-security-relic-after-30-years)
732
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)