Another set of more sophisticated (and more recent) attacks is the abuse of Microsoft Kerberos vulnerabilities in an Active Directory environment. A successful attack leads to attackers compromising domain controllers and then escalating the privilege to the enterprise admin-and schema admin-level using the Kerberos implementation.
The following are typical steps when a user logs on with a username and password in a Kerberos-based environment:
- User's password is converted into an NTLM hash with a timestamp and then it is sent over to the Key Distribution Center (KDC).
- Domain controller checks the user information and creates a (Ticket-Granting Ticket (TGT).
- This TGT can be accessed only by Kerberos service (KRBTGT).
- The TGT is then passed on to the domain controller from the user to request a Ticket...