Another set of more sophisticated attacks that have been observed more recently is the abuse of Microsoft Kerberos vulnerabilities in an active directory environment. A successful attack leads the attackers to compromise domain controllers and then escalate privilege to enterprise admin and schema admin using the Kerberos implementation.
The following are the typical steps involved when a user logs on with a username and password in a Kerberos-based environment.
- A user's password is converted into an NTLM hash with a timestamp and is then sent over to the Kerberos Key Distribution Center (KDC).
- Domain controller checks the user information and creates a Ticket-Granting ticket (TGT).
- This TGT can only be accessed by the Kerberos service (KRBTGT).
- The TGT is then passed on to the domain controller from the user to request...
