> This article is somewhat incorrect. Kerberoasting abuses Ticket Granting Service tickets (TGSs...

> TGS are (AES or RC4) encrypted...

What? No. The "TGS" is the "ticket granting service", and it's part of the KDC. A "TGT" is a "ticket granting ticket" -- an object, a blob which is a) a Ticket, b) whose service principal is a TGS principal (meaning of the form krbtgt/TARGET_REALM@ISSUER_REALM).

If in doubt see RFC 4120.

▲

harmon 5 days ago | parent [-]

Fine, Kerberoasting abuses TGS-REPs which are colloquially referred to as TGS tickets or TGSs*. You know what I meant.

	▲	cryptonector 5 days ago \| parent [-]
		> TGS-REPs which are colloquially referred to as TGS tickets or TGSs They are NOT colloquially referred to as such by anyone I know. A TGS-REP is just a reply from the TGS. A TGS-REP bears a ticket which can be a TGT or not depending on various things. I have never, ever seen a TGS-REP referred to a you say. I have heard lots of weird things in the Kerberos space, but not this. E.g., I've see "GSS-API" pronounced as "guhsappi". I've seen people say "give me the Kerberos" (meaning "tell me how to get credentials"). FYI I am a Kerberos implementor/maintainer and have authored several Internet RFCs on Kerberos, and have supported Kerberos deployments at several organizations. Sorry to pull credentials here, but I'm annoyed that you felt the need to correct TFA on something they were not wrong about.