As a pentester kerberosting used to reveal a service password on about 50% of networks on the 2010s when admins were making the passwords. Today our advice to clients on kerberosting is the same as it was back then, use a password manager to generate a 21 character password for all service accounts and disabled RC4 where possible. 52^21 is quite a large key space and even at 10^10 guesses per second over a year your chances are less than 1 in a billion of a successful crack.

▲

hinkley 5 days ago | parent | next [-]

Cheap Cloud storage has never returned rainbow tables to viability, right? I stopped checking sometime after I got out of the space.

	▲	slt2021 5 days ago \| parent [-]
		salting defeats the rainbow table, kerberos uses PBKDF2 that defeats the rainbows

▲

Graphon1 5 days ago | parent | prev [-]

> disabled RC4 where possible

I'm curious. Under what circumstances would it be _not_ possible to disable RC4?

Is this in case there is a Windows 98 machine running somewhere in the network?

	▲	mgiampapa 5 days ago \| parent [-]
		In my experience it's always been legacy hardware or industrial automation where it would cost millions to update the equipment / software. Simply limiting the blast radius of those systems and isolating them on the network into their own security zone is always less expensive and thus the perfectly reasonable solution.