tag:blogger.com,1999:blog-5968836134591949637.post624733175774351488..comments2024-03-16T04:36:27.856-07:00Comments on Still Passing the Hash 15 Years Later: Mimikatz and Golden Tickets... What's the BFD? BlackHat USA 2014 Redux part 1Exorcysthttp://www.blogger.com/profile/04354783607463944232noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-5968836134591949637.post-51863993139705704152014-10-17T09:57:49.009-07:002014-10-17T09:57:49.009-07:00Yes, this attack works for NT6 versions as wellYes, this attack works for NT6 versions as wellExorcysthttps://www.blogger.com/profile/04354783607463944232noreply@blogger.comtag:blogger.com,1999:blog-5968836134591949637.post-68324304214933241342014-09-29T07:44:54.858-07:002014-09-29T07:44:54.858-07:00This attack applies in NT 6 version also ?This attack applies in NT 6 version also ?χαρούμενες ώρεςhttps://www.blogger.com/profile/17641503515472664424noreply@blogger.comtag:blogger.com,1999:blog-5968836134591949637.post-25817173507874315162014-09-27T17:00:27.081-07:002014-09-27T17:00:27.081-07:00Sorry I didn't see this comment earlier. That...Sorry I didn't see this comment earlier. That account always looks like it's disabled, however it is actively being used internally by AD. You just can't log in with it.Exorcysthttps://www.blogger.com/profile/04354783607463944232noreply@blogger.comtag:blogger.com,1999:blog-5968836134591949637.post-79234819269070656392014-09-08T06:58:01.716-07:002014-09-08T06:58:01.716-07:00Hi,
in your screenshot the krbgtg account looks as...Hi,<br />in your screenshot the krbgtg account looks as inactive.<br />Does your method still work despite of it?<br /><br />ThanksAnonymoushttps://www.blogger.com/profile/01094296637095880907noreply@blogger.comtag:blogger.com,1999:blog-5968836134591949637.post-80591733941324425972014-08-22T10:43:32.615-07:002014-08-22T10:43:32.615-07:00That "official Microsoft guidance" was f...That "official Microsoft guidance" was from the Windows 2000 section of the Technet website. I'm not saying it's bad advice, I'm saying that I've got several different folks from various Microsoft groups including MSRC, the Windows product team, and consulting services that are telling me that their official guidance is to burn it down and start over in the event of a breach because it's potentially less painful than changing the KRBTGT.<br /><br />Your explanation of what *SHOULD* happen with the KRBTGT account is correct. However, once again I've got a bunch of folks at Microsoft who are telling me that they are currently investigating whether or not everything actually works that way. As in they are going back to the source code to audit Kerberos.<br /><br />Microsoft wants to make sure that the guidance they issue makes sense for large and complicated networks. (Translated big multi-million to billion dollar clients)Exorcysthttps://www.blogger.com/profile/04354783607463944232noreply@blogger.comtag:blogger.com,1999:blog-5968836134591949637.post-35467915164809867842014-08-22T08:06:44.109-07:002014-08-22T08:06:44.109-07:00Hello,
Password change "Not supported?"...Hello,<br /><br />Password change "Not supported?" Then why does Microsoft recommend that you change the krbtgt password in their support KBs under various circumstances?<br /><br />http://technet.microsoft.com/en-us/library/cc734032(v=ws.10).aspx<br /><br />http://technet.microsoft.com/en-us/library/cc733991(WS.10).aspx<br /><br />http://support.microsoft.com/kb/2549833<br /><br />http://technet.microsoft.com/en-us/library/bb727066.aspx<br /><br />To reiterate, the *official Microsoft guidance* after a domain controller breach or forest recovery is to reset the krbtgt password yourself, and purge its password history by resetting it twice.<br /><br />To avoid exactly the kind of problem you describe, where changing krbtgt's password once invalidates all TGTs, TGTs can also be validated against krbtgt's first previous password.<br /><br />I think people have been going nuts lately over the PtH stuff because it makes good blog fodder, but in many cases, "security researchers" are attacking a straw man because they're unclear of how Active Directory actually works in the first place.Ryanhttps://www.blogger.com/profile/02029851386383176520noreply@blogger.com