Fun with LDAP and Kerberos - Attacking AD from Non-Windows Machines

Explore the intricacies of attacking Active Directory from non-Windows machines in this comprehensive conference talk. Delve into the core technologies of Active Directory, including LDAP and Kerberos, and learn how to leverage these protocols for reconnaissance and exploitation. Discover techniques for finding Active Directory through DNS, extracting domain metadata, and performing nested lookups. Gain hands-on experience with tools like Impacket and ldapsearch while understanding the nuances of Kerberos authentication and authorization. Master advanced tactics such as password spraying, over-pass-the-hash attacks, and forging Kerberos tickets. Examine logging mechanisms and understand how to minimize detection. By the end of this talk, acquire valuable insights into attacking AD from non-Windows environments, equipping yourself with practical skills for penetration testing and security assessments.

Introduction
Why this talk?
Takeaways
What is "Active Directory"?
Core AD Technologies
Working with AD Protocols
Find Active Directory through DNS
Domain Meta-Data Through LDAP
MS-RPC Calls
Communicating with MS-RPC
Impacket Binaries
Impacket Static Binaries
Active Directory uses LDAP
What does LDAP in AD look like?
Idapsearch - Computers
Nested Lookups
Nested Domain Admins
Admin-Count
Why do it manually?
LDAP Summary
Kerberos Crash-Course
What does Kerberos look like?
Kerberos and Authorization
Kerberos from Linux
Setting up Kerberos
Using Kerberos with GSSAPI
Viewing Kerberos Tickets
Using Kerberos with Impacket
When NTLM Auth is disabled
Password Spraying with SMB / RPC
Other Password Guessing Techniques
Password Guessing with Kerberos
What about logs?
Kerberos Event Logging
Requesting TGS for SPN
Cracking TGS Resp
Over Pass the Hash - AES
Forging Kerberos Tickets
Golden Ticket Creation
Golden Ticket Usage
Silver Ticket Creation
Silver Ticket Usage
Shoulders of Giants