I’m learning about how Kerberos and it’s common exploits work and I’m a little confused. In this video explaining the process we see that at one of the earlier points the user is provided with two packets, one of them being a TGT: http://www.youtube.com/watch?v=2WqZSZ5t0qk&t=6m0s
Now from what I understand people can use the python script GetNPUsers.py to crack the hash of the users password by brute forcing the hashed TGT. However this doesn’t seem technically correct: What we would really want to hash (according to the video) is the blue packet since once that is cracked that will provide the user’s password, and so then we can pose as the user.
With this in mind, with pre-authentication disabled (which shouldn’t ever happen in a real world setting as far as I know), how would we ever get the user password simply from cracking the hash of the TGT? Would we have to provide a valid user id and (since pre-auth is disabled) kerberos would happily provide the blue and red packets?
Ultimately I’m not sure what we’re cracking: A user account or a TGS account?