After getting a lot of positive feedback on my video about how GetNPUsers.py takes advantage of kerberos pre-auth being disabled, I thought I’d take a look at an attack path we can use when pre-auth is not disabled.
It does require you to have a network packet capture of a legit authentication request from the machine, but I still think its worth knowing about so I wrote a blog post on it here:
EDIT: Just uploaded a video on this topic as well:
Nice post! I like how you mentioned this as an alternative to Pre-Auth being disabled, since you mentioned it is incredibly rare to see Pre-Auth disabled in real life. I don’t know enough about Kerberos to know if it can be encrypted when doing Auths, but if not, this is a relatively straightforward method to potentially get some easy passwords. Quick and interesting read