##kerberos protocol: a computer network protocol based on a third-party trusted host.
If you want to understand the kerberos protocol, you first need to know the following terms:
KeyDistribution Center KDC The key distribution center has AS, TGS
AS: Authentication Service to the client to prove client A Yes A does not specify the authority issue
TGT (Ticket Granting Ticket): Ticket (golden ticket) granted by the identity authentication service, used for identity authentication, stored in the memory, the default validity period is 10 hours
TGS (Ticket Granting Server): ticket granting service The ticket provided by this service is also called TGS or silver ticket
TGS: Ticket Granting Ticket, which is used by KDC to distribute Session Key to A and B.
Client-A exchanges TGT to KDC's AS, and then takes TGT to TGS in exchange for service Ticket ( TGS Ticket)
Kerberos cannot authenticate permissions, and PAC (Privilege Attribute Certificate) is added. The privilege attribute certificate needs to provide the SID of the User and the SID of the group where it belongs.
Then look at the picture to explain. This picture is from Freebuf. If there is infringement, it can be deleted.
Many descriptions on the Internet are not very cumbersome, but they are very difficult to understand. The following is my brief talk (personal understanding) of the kerberos protocol: look at the
picture, It would be great if you can read the English in the protocol process in the above figure. It is mainly based on personal understanding that the
client initiates a request to the AC (time stamp encrypted with clineHash, clientid, etc.), and the AC returns the clientHash encrypted key sessionKEY and domain management TGT encrypted by the member’s hash, the
client uses the secret key to encrypt and generate an Authenticator (timestamp, client identity information, etc.), and sends TGS together with the TGT to decrypt the
TGS. After the authentication is successful, it generates key 2 encrypted with ServerHash, and encrypted key 1 Clientid, key 2, Server identity information, etc. The
client uses Key 2 encrypted Authenticator and ServerHash encrypted key 2 to send to the server
Then there are environmental tickets and silver tickets
Golden Ticket: Forged TGT, you can get any Kerberos service permissions
Silver Ticket: Forged TGS, you can only access the specified server
Here are some commands for collecting information in domain penetration:
net config workstation whether there is a domain environment
net time /domain query the domain synchronization time with the full name of the domain controller
net user /domain query all users in the
domain net user username /domain query whether it is a domain Administrator The domain
Admins group of the user domain is the domain administrator authority
whoami /user query domain user sid domain control to different computers different sid
ip query: targetIP, domain server ip (port 53, port 389)
###################################
# 收集域名信息
net view //获取当前组的计算机名字
net view /domain //查看所有域
ping -n 1 [组计算机明] -4 //从计算机名获取IP 地址
net user /domain //查看域中的用户名
net group /domain //查看域组名称
net group "Domain Admins" /domain //查询管理员
net group "Domain controllers" /domain //查询域控
net group "Domain Computers" /domain //查询所有计算机名字
net config Workstation //查看当前计算机名、全名、用户名、系统版本、工作站域、登录域
net group "Domain controllers" //查看域控制器
net user admin Ad123test /add /domain //添加普通域用户
net group "Domain Admins" admin /add /domain //提升到域管理员
###################################