> For the complete documentation index, see [llms.txt](https://docs.0xrushi.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.0xrushi.xyz/protocols/kerberos.md).

# Kerberos

Kerberos is a **network authentication protocol** designed to provide strong authentication for client-server applications using **secret-key cryptography**

## How it works think like this

* You Buy a ticket (Authenication once)
* That ticket let's you in domain venue (Domain resources)
* You show your ticket at different area (Different resources )
* Security doesn't check your identity everytime its just your ticket

Kerberos uses port 88(Udp/tcp)

* Ticket based authentication
* Required time sync 5 min tolerence is there

## Core components

#### 1 . Key distribution centre (KDC) : the brain of kerberos runs on domain controlller

It has two jobs :

* Authentication service (AS) : Gives you initial access TGT
* Ticket granting service (TGS) : Gives you ticket to access a specific service

#### 2. Principals

Anyone/anything that can authenticate:

* **Users**: `john@CORP.LOCAL`
* **Services**: `HTTP/webserver.corp.local`
* **Computers**: `WORKSTATION01$`

### How it actually works :

* User logs in with username and password
* password is hashed and used to encrypt current timestamp (Proof you know the password)
* Send it to KDC : "Hey i am rushi , Here is the proof"
* KDC validates and sends back :
  * TGT(Encrypted with KRBTGT Hash - you can't read it )
  * Session key (Encrypted with your password hash - you can decrypt it )\*

**TGT Properties:**

* Valid for **10 hours** by default
* Stored in your computer's memory (LSASS process)
* Contains your **PAC** (all your group memberships) - this has your SID and all your group memberships
* Can be **renewed** for up to 7 days
* Your session key

**Service Ticket :**\
**What happens :**

* You want to access the Sql server\*
* Send to KDC : "Here is my TGT , I want to access the mssql server"
* KDC check your tgt and responds:
* Service ticket : (Encrypted with mssql service accound hash)\*
* Service session key (Encrypted with your TGT session key)

  **Service Ticket Properties:**
* Specific to ONE service only
* Encrypted with **service account's password hash**  (Kerberoasting target!)
* Contains your PAC (authorization info)
* Valid for 10 hours

#### Access Service

**What happens:**

1. Send Service Ticket to SQL Server
2. SQL decrypts it with its own password hash
3. SQL reads your PAC to see what groups you're in
4. SQL grants access based on permissions

**Important:** Service **should** validate your PAC with the DC, but many don't (performance reasons). This enables **Silver Ticket** attacks.

## Tickets Explained

**TGT (Ticket Granting Ticket)**

**Key Points:**

* Encrypted with **KRBTGT hash**
* You can't decrypt it (but you can steal and use it!)
* Contains ALL your group memberships in the PAC
* Lets you request tickets to ANY service in the domain

**Pentesting Gold:**

* Steal TGTs from memory using Mimikatz/Rubeus
* Pass-the-Ticket attack
* If you get KRBTGT hash = Golden Ticket attack

#### Service Ticket (ST)

**What it is:** Ticket for a specific service (SQL, Web, File Share, etc.)

**Key Points:**

* Encrypted with **service account's password hash** ⚠
* Service-specific (can't use SQL ticket for web server)
* Contains your PAC

**Pentesting Gold:**

* Request service tickets for accounts with SPNs = Kerberoasting
* Crack the ticket offline to get the service account password
* If service doesn't validate PAC = Silver Ticket attack

### Service Principal Names (SPNs)

#### What is an SPN?

An **SPN is like a phone number for a service**. It tells Kerberos where a service is and what type it is.

**Format:** `ServiceType/HostName:Port`

Examples:

```shell
HTTP/webserver.corp.local         
MSSQL/sqlserver.corp.local:1433    
CIFS/fileserver.corp.local       
LDAP/dc01.corp.local               
```

#### Why SPNs Matter for Pentesting

**Critical Point:** ANY domain user can request a service ticket for ANY SPN registered in AD!

**What this means:**

1. Enumerate SPNs in the domain (no admin needed)
2. Request tickets for all of them
3. Extract tickets from memory
4. **Crack them offline** (no account lockout!)
5. Get service account passwords

**This is called Kerberoasting!**


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.0xrushi.xyz/protocols/kerberos.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
