Study Notes

BSD
- FreeBSD
CCTV
Cryptography
- Asymmetric-Encryption
  - RSA
- Encoding
  - Base64
  - URL Encoding
- Hash Functions
  - MD5
- Password Hashing
  - LM Hash
- Symmetric Encryption
  - Block Ciphers
    - AES
    - DES
DIY
- Cantenna
Hardware
macOS
Networking
- Ethernet
- Networking Fundamentals
- Ports
- Protocols
  - Networking Protocol?
  - ARP
  - DHCP
  - DNS
    - DNS Attacks
    - DNS Fundamentals
  - FTP
  - ICMP
  - RTSP
  - SSH
    - (0) What is SSH
    - OpenSSH
  - TCP
  - UDP
- VPN / Proxies
- Wireless
Scripting & Automation
- DQ
- Regular Expression
- Shells
Web Application Security
- HTTP Headers
  - Content Security Policy (CSP)
Windows
- Microsoft Management Console (MMC)
- Windows NT & MS-DOS
- Active Directory
  - AD Fundamentals
  - AD Attacks & Defense
    - AS-REProasting
    - Kerberoasting
  - AD Protocols
    - DNS in AD
    - Kerberos
    - LDAP
    - MSRPC
    - NTLM
  - AD Users
- Powershell
  - cmdlet
    - cmdlet (command-let)
    - cmdlet commands
      - Active Directory
        
        -Properties
        
        Get-ADGroup
        
        Get-ADUser
- Windows Event Logs
  - EventLog & Event Viewer
  - Get-WinEvent

The term Kerberoasting is derived from:

Kerberos (the authentication system used in Active Directory)
The word roasting, a slang term, in security meaning extracting and cracking something offline

What is Kerberoasting

Kerberoasting is a post-exploitation attack targeting Active Directory environments. Specifically service accounts with Service Principal Names (SPNs)

Attacker gains any valid domain user access (no privileges, just a normal domain user)
Requests a Kerberos service ticket (TGS) for a service
Domain Controller returns the ticket encrypted with the service account’s password hash
Extracts the ticket and performs offline cracking to get the plaintext password

The vulnerability exists because:

Kerberos uses symmetric encryption tied to the service account password
The attacker can request encrypted data and attempt to crack it offline without interacting with the domain again