all credits goes to:
- https://www.trustedsec.com/blog/i-wanna-go-fast-really-fast-like-kerberos-fast/
- https://syfuhs.net/kerberos-fast-armoring
The term "FAST" here does not mean fast in the literal sense, but rather the acronym for "Flexible Authentication Secure Tunneling". Its purpose is to solve the problem of offline cracking of domain user passwords.
You may have heard of kerberoasting, which is mainly used to offline crack the plaintext passwords of service accounts, as well as asrep-roast, which is used to offline crack the plaintext passwords of ordinary users who have not enabled pre-authentication.
Both of these cracking methods are based on the same fact: the packets are derived from the user's password and encrypted with the weakest encryption algorithm, RC4, which we can control.
For computer accounts, this problem does not exist because the plaintext passwords of computer accounts are long random strings with extremely high complexity. Here is the plaintext password of a machine account in my test environment:
As you can see, it is quite complex and offline cracking is impossible. Even if you manage to crack it, the password has already expired. By default, machine accounts automatically update their passwords once a month.
After enabling FAST, when performing Kerberos authentication, the machine account will first obtain a key from the DC, and use this key to protect the data during the user authentication phase. So even if offline cracking is successful, only the short-term key will be obtained, and it is unlikely that you will be able to crack it, as these keys are generally long.