Hacktricks-skills kerberos-authentication
Kerberos authentication analysis and attack methodology for Active Directory environments. Use this skill whenever the user mentions Kerberos, AD authentication, ticket-based auth, Kerberoasting, AS-REP roasting, delegation abuse, golden tickets, or any Kerberos-related security testing. Trigger for pentesting scenarios, security assessments, or when analyzing AD authentication flows.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/windows-hardening/active-directory-methodology/kerberos-authentication/SKILL.MDsource content
Kerberos Authentication
A comprehensive guide to Kerberos authentication in Active Directory environments, including attack methodologies, tooling, and recent security developments.
Overview
Kerberos is the default authentication protocol in Active Directory. Most lateral movement chains in AD environments will interact with Kerberos at some point. Understanding Kerberos is essential for security assessments and penetration testing.
Key Concepts
Authentication Flow
- TGT (Ticket Granting Ticket): Initial ticket obtained from KDC
- TGS (Ticket Granting Service): Service tickets for specific resources
- PAC (Privilege Attribute Certificate): Contains user/group membership info
- S4U2self/S4U2proxy: Service for User protocols for delegation
Attack Vectors
Kerberoasting
- Target service accounts with SPNs
- Extract TGS tickets and crack offline
- Modern approach: Use AES hashes (RC4 being phased out)
AS-REP Roasting
- Target accounts with "Do not require Kerberos preauthentication" enabled
- Capture AS-REP responses and crack offline
Golden Ticket Attacks
- Forge TGTs using KRBTGT hash
- Note: PAC validation enforcement (April 2025) blocks forged PACs on patched DCs
Delegation Abuse
- RBCD (Resource-Based Constrained Delegation): Works across domains/forests
- Write
on resource objectsmsDS-AllowedToActOnBehalfOfOtherIdentity - Chain S4U2self → S4U2proxy for impersonation
Fresh Attack Notes (2024-2026)
RC4 Deprecation
- Windows Server 2025 DCs no longer issue RC4 TGTs by default
- Microsoft plans to disable RC4 as default for AD DCs by end of Q2 2026
- Environments re-enabling RC4 for legacy apps create downgrade/fast-crack opportunities
- Action: Hunt for RC4-enabled accounts before full deprecation
PAC Validation Enforcement
- April 2025 updates removed "Compatibility" mode
- Forged PACs/golden tickets rejected on patched DCs when enforcement enabled
- Legacy/unpatched DCs remain abusable
CVE-2025-26647 (altSecID CBA Mapping)
- Unpatched DCs or Audit mode: certificates chained to non-NTAuth CAs can log on via SKI/altSecID mapping
- Events 45/21 appear when protections trigger
NTLM Phase-Out
- Future Windows releases ship with NTLM disabled by default (staged through 2026)
- More authentication surface moves to Kerberos
- Expect stricter EPA/CBT in hardened networks
Cross-Domain RBCD
- Resource-based constrained delegation works across domains/forests
- Writable
on resource objects enables S4U2self→S4U2proxy impersonationmsDS-AllowedToActOnBehalfOfOtherIdentity - Does not require touching front-end service ACLs
Tooling
Rubeus
Kerberoasting (AES default):
Rubeus.exe kerberoast /user:svc_sql /aes /nowrap /outfile:tgs.txt
- Outputs AES hashes
- Plan for GPU cracking or target pre-auth disabled users instead
RC4 Downgrade Target Hunting:
Get-ADObject -LDAPFilter '(msDS-SupportedEncryptionTypes=4)' -Properties msDS-SupportedEncryptionTypes
- Enumerate accounts still advertising RC4
- Locate weak Kerberoast candidates before RC4 is fully disabled
Additional Tools
- Impacket suite (GetUserSPNs.py, ticketer.py)
- Mimikatz (kerberos::golden, kerberos::list)
- Rubeus (comprehensive Kerberos tooling)
Detection & Defense
Monitoring
- Watch for Event IDs 45/21 (CVE-2025-26647 protections)
- Monitor for unusual TGS requests
- Track PAC validation failures
Hardening
- Disable RC4 encryption types
- Enable PAC validation enforcement
- Patch DCs for CVE-2025-26647
- Audit
attributesmsDS-AllowedToActOnBehalfOfOtherIdentity - Implement strict SPN management
References
- Microsoft – Beyond RC4 for Windows authentication
- Microsoft Support – Protections for CVE-2025-26647
- Microsoft Support – PAC validation enforcement timeline
- Microsoft Learn – Kerberos constrained delegation overview
- Windows Central – NTLM deprecation roadmap
- Tarlogic – How Kerberos Works
Usage Notes
- This skill is for authorized security testing and educational purposes only
- Always have proper authorization before testing Kerberos in any environment
- Understand the legal and ethical implications of Kerberos attack techniques
- Use in conjunction with proper AD pentesting methodologies