Charlie Clark

my latest post on abusing DES using Kerberos, I've not updated my RoastInTheMiddle tool yet but I'll be doing that shortly, enjoy: exploit.ph/des-is-useful.…

This release is probably going to be one of our biggest and most impactful! Kudos to the team @peterwintrsmith @modexpblog @s4ntiago_p @GigelV41464 @saab_sec 🙌

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

@UrfinJuice9 each ticket requires a referral

@exploitph Could you please explain a bit, why do we need two pairs of s4u requests?

A little example of cross domain S4U: exploit.ph/crossing-trust…

Happy to finally share a new blog with @exploitph on our work revisiting the Kerberos Diamond Ticket. ✅ /opsec for a more genuine flow ✅ /ldap to populate the PAC 🆕 Forge a diamond service ticket using an ST We finally gave it a proper cut 💎 huntress.com/blog/recutting…

@sekurlsa_pw @al3x_n3ff the same technique also allowed me to bypass authentication silos: msrc.microsoft.com/update-guide/v…

@sekurlsa_pw @al3x_n3ff this technique makes several attacks possible, one I wrote about at the same time is kerberoasting from a mitm position without creds: exploit.ph/all-ur-as-belo…

Did you know that you can kerberoast without any valid credentials? All you need is an account that is ASREProastable. This allows you to request service tickets for any account with a set SPN🔥 NetExec now has a native implementation of this technique, thanks to Azox

@al3x_n3ff yeah, I did that 3 years ago: exploit.ph/all-ur-as-belo…

Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months. This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk. Includes a detailed write-up: jonny-johnson.medium.com/no-agent-no-pr… And a new GitHub project "JonMon-Lite": github.com/jonny-jhnson/J…

My #SOCON2025 talk is now live for those interested in credential guard research. youtu.be/9U_7u849yQQ?fe…

@_RastaMouse @_EthicalChaos_ @__invictus_ @4ndr3w6S the reason I think the TDO holds both is because when you sync the TDO, you get both keys

@_RastaMouse @_EthicalChaos_ @__invictus_ @4ndr3w6S I think the TDO holds both, as I said I think it's due to how the server lookup is coded, it was easier to have a trust account for requesting tickets rather than trying to code it differently or something, but I'd need to be familiar with the code to be sure

One for the Kerberos experts: after a trust has been created, the ticket-granting service of each realm is registered as a principal with the other realm's KDC; but what is the account used for in the inter-realm referral process? /cc @exploitph @4ndr3w6S

@_RastaMouse @4ndr3w6S @SteveSyfuhs learn.microsoft.com/en-us/openspec…

@_RastaMouse @4ndr3w6S @SteveSyfuhs I assume it's something to do with how AD does the server lookup though

@_RastaMouse @4ndr3w6S idk why exactly, ig you'd have to ask MS, perhaps the way AD works under the hood it requires an actual account to create a ST

@exploitph @4ndr3w6S Ok, that makes sense. But why a trust account specifically rather than storing the secret in the TDO like it is on the trusting domain side?

@_RastaMouse @4ndr3w6S so you request a referral to krbtgt/domain2, it uses the account cred for the DOMAIN2$ INTERDOMAIN_TRUST_ACCOUNT as the service key for the referral

@_RastaMouse @4ndr3w6S I assume you mean the INTERDOMAIN_TRUST_ACCOUNT, in which case it's used to request a referral to the foreign domain

@_abs0lute fwiw, I've not noticed a speed increase for AES encrypted tickets, only RC4

@exploitph Right on, makes sense. I'll have to try it out on an actual cracking rig.

fwiw, you can speed up cracking RC4 kerberoast tickets by requesting the ticket from the AS without a PAC

@_abs0lute using hashcat at least

@_abs0lute I'm not sure about with john and certainly the more resources you have, the larger increase you'll notice, but it seems to be due to the enc-part being around 1000 bytes smaller (at around 100-200 bytes without a PAC), it doesn't make a huge difference but it's definitely faster

@TheCovertCorvus I mentioned this in my blog post: semperis.com/blog/new-attac…

@TheCovertCorvus no, you can request any non-krbtgt ticket from the AS without a PAC without any changes required