Getting passwords when kerberos pre-auth IS enabled

After getting a lot of positive feedback on my video about how GetNPUsers.py takes advantage of kerberos pre-auth being disabled, I thought I’d take a look at an attack path we can use when pre-auth is not disabled.

It does require you to have a network packet capture of a legit authentication request from the machine, but I still think its worth knowing about so I wrote a blog post on it here:

EDIT: Just uploaded a video on this topic as well:

1 Like

Nice post! I like how you mentioned this as an alternative to Pre-Auth being disabled, since you mentioned it is incredibly rare to see Pre-Auth disabled in real life. I don’t know enough about Kerberos to know if it can be encrypted when doing Auths, but if not, this is a relatively straightforward method to potentially get some easy passwords. Quick and interesting read :slight_smile:

@N0tAC0p thanks :slight_smile: glad to hear that

Nice share - thanks!

Made a video on it for those that don’t like reading :wink:

A lot of valuable information in this video, as well as the others! Thank you @VbScrub

No problem :slight_smile: more coming soon