Windows 10: Suspected identity theft pass-the-ticket we can see kerberos ticket from one server and...

Suspected identity theft pass-the-ticket we can see kerberos ticket from one server and used it on 2 computers is this can be possible as we have received the incidents from defender for identity

:)

 

Check for Valid Kerberos Ticket

Hello everyone,

I'm looking to be able to generate a command klist to check and see if a kerberos ticket is valid.

If the ticket is valid return 1 if a ticket is invalid return something a 0.

We are moving from Linux to Windows for this process but I have yet to find any documentation regarding how you would do this.

I would believe that a sample or model would be everywhere.

Regardless does anyone have some suggestions on getting this accomplished.

Regards,

Jonathan

 

Question about ciphers used in Kerberos ticket

Hi,

From time to time I would see monitoring system alerting on requests using RC4 cipher in Kerberos ticket:

Client server (client1) : Windows 2008 R2

Domain controller (dc1) : Windows 2016

Following is a sample capture from the monitoring system:

client : *** Email address is removed for privacy ***

dest_server: dc1

dest_port: 88

auth_ticket_cipher : aes256-cts-hmac-sha1-96

auth_ticket_ciphertext - xxxxxx

request_type : TGS

new_ticket_cipher: rc4-hmac

new_ticket_ciphertext: xxxxxxx

I'm wondering what determines the encryption cipher to to be used in a Kerberos ticket request? I've heard about Kerberoasting so I would like to know how to identify if such a request is normal or not, thanks.

Regards,

 

Question about ciphers used in Kerberos ticket

Thanks I've created the ticket in the Tech forum.