VOD - TryHackMe! Attacking Kerberos

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

harris heller i think offers this viewpoint that you can't discount how effective and how valuable it is to just chat sometimes because the whole point of twitch is to engage with your audience i hope that you guys feel like we're hanging out i feel like we're buddy buddies hey john any tip to start in this world is a redeemed question from uh kel bazaar play um tinker explore i think i was just chatting about this i really really like capture the flag obviously i think that's one of the best ways to learn i think it's the most practical thing that you can do it gets you hands-on it gets you really in the mix oh we lost our try hackme street guys i'm super bummed because uh for the past weekend for the past four days i haven't been able to stream and it was like right after we hit affiliate i made a joke i literally made a joke it's like oh obviously obviously uh getting affiliate is just a whole giant cash grab the only reason i create content is a cash grab and it's a joke i'm a freaking kidding but then like oh what a shitty look what a crappy look to uh not stream four days after i room is called attacking kerberos right yes it is okay cool subtle remd oof i've had so many sublime text windows open today as i've been prepping for activity con we did it we put in a serious amount of work to make sure that the activity con pregame would get set up for you uh if you haven't registered go play activity con please please please please the pregame's on right now i don't i think i i wasn't recording on youtube for the entire 30-minute advertisement that i voted it's the 13th of september what place or resource do you recommend to learn internet of things cyber security uh i have to uh punt that one truthfully and say google i'm kidding i'm kidding i know that's an awful answer uh i think there's a good no starch press book that's like literally all about um iot hacking so i would i would absolutely put that one to use uh if you aren't familiar with that one we've got the machine deployed and now we're gonna be taking a look at the attacking kerberos room it says this room will cover all the basics of attacking kerberos the windows ticket granting service we'll cover the following we'll do the initial numeration using turtle excuse me tools like curb route and rubios we'll do kerber roasting we'll do ass rep roasting with rubius and impact we'll do cold golden and silver ticket attacks pass the ticket and the skeleton key attack using mima cats jeezum could be doing a lot ladies and gentlemen this room will be related to very real-world applications and most likely will not help with any ctfs however it will give you a great starting knowledge of how to escalate your privileges to domain admin by attacking kerberos and allow you to take over and control a network it's recommended to have a knowledge of general post exploitation active directory basics and windows command line to be successful with this room cool cool uh we start off what is kerberos so i don't mean uh to read this entire thing to you of verbatim but that's what i'm gonna do maybe maybe not all of us actually this is a crap ton of text holy crap uh but also for like my own learning like for my sake uh i want to i want to go through this process i want to have this um i want to have this experience myself so what is kerberos kerberos is default authentication service for microsoft windows domain it's intended to be more secure than ntlm by using third-party ticket authorization as well as a stronger encryption even though ntlm has a lot more attack vectors to choose from kerberos still has a handful of underlying vulnerabilities just like ntlm that we can use to our advantage we have some common terminology some words some lingo some vernacular that we might want to get familiar with um ticket granting ticket a ticket granting ticket is an authentication ticket used to request services from the tgs or the ticket granting service wait on here that offers access to specific resources from the domain okay key distribution center kdc the key distribution center is a service for issuing tgt's and service i guess i can testify authentication service in the tea granting service this is gonna be hard guys i don't know i don't know if i'm gonna be able to read all this i'll just i'll read it in my head i'll consume it just like this done i've consumed it through osmosis i have now learned everything that that text was trying to teach me teal kind of saying yeah kerberos has a lot of moving parts i'm making light of this but obviously this would be really really worthwhile to uh get smart on um doug feels like you are speed jon this is obviously absolutely really really critical so i'm gonna i'm gonna bump around with this for a little bit forgive me if i if i lose some of the presentation and performer aura thank you kel'thuzad thank you so so much for your subscription swedish mask thank you so so much uh technopi says yeah i don't john i don't really recommend you doing this box if you're tired because it's a long one well you know what we started the stream early maybe we can make it let's try it let's let's see how far we go this is a lot of terms though anyway as wreck did we discuss azraq whatsoever okay so the authentication service the authentication service issues tgts or ticket granting tickets to be used by the ticket granting service and the domain to request access to other machines and service tickets if you have a request or an authentication server request step in kerberos authentication starts when the user requests a tgc from the kdc kdc is key distribution center i'm fading in order to validate the user and create a tgt for the user the kdc must follow these exact steps the first step is for the user to encrypt a time stamp and t hash and send it to the authentication server the key distribution center attempts to decrypt the timestamp using the nth from the user and if successful the kdc will issue a tgt as well as a session key for that user okay i believe i'm i'm i'm pressing the i believe button physically slick pop stream redeemed the highlighted magic message the john wick is the john wick of cyber i super appreciate that absolutely not uh keanu reeves is infinitely better than me in order to understand how the service ticket gets created and validated we need to start with where the tickets come from tgt is provided by the user the kdc in return the kdc validates the tgt and returns a service ticket okay um so the tgt is provided by the user and then kdc returns it or validates it and then returns a service ticket so having a tgt is totally kosher um but you have to have a ticket granting service no no no returns a service ticket where is it where is the service ticket in this let's take granting service how is it an individual asks the key distribution center for a oh no no no no it the kdc has the as and the ticket training service i follow it's a big umbrella kdc's our big boy with ass i didn't mean to go there authentication service a.s tecno pi thank you so so much for your subscription let me uh let me completely derail there ticket granting service tjs those are both tigs and ass tigs and ass are both inside of the kdc are we doing here everybody you didn't realize that try hack me was r-rated content yeah exactly slick pub stream all right we're gonna get this youtube video demonetized real quick yeah clearly we're very tired thank you nightwolf thanks for your thanks for your motivational support anyway let's let's let's continue uh to understand how to understand how kerberos authentication works you must first understand what these tickets contain and how they're validated a service ticket contains two portions the server's provided portion and the user provided portion i'll break it down break it down into what each portion contains user details session key okay so the service portion and the user portion validity timestamp session key encrypted tgt session key kerberos authentication overview there we go we got a user we got a boy we got a fella we got an individual they request a tgt kdc comes together with his ass and tigs and he says yo you can have a tgt and a session key and the guy says all right sweet thank you i'm going to give you a request ticket and the authentication that i know and kdc comes back with his ass and tigs and he says sweet man here's a ticket and your session key specific to a service specific to an spn correct the service principal name yeah yeah yeah so there are steps here right we have an as rec authentication service request where we send we request an authentication ticket or a ticket granting ticket the as response or as rep as we might come to discuss more the key distribution center verifies the client sends back an encrypted tgt now with that tgt the client sends the encrypted tgt to the ticker running service with the service principal name of the service that they want to access whether or not that is my sequel or ftp or any of those things yeah prism mcniel is asking is the spn a database it could be yes yes the key distribution center kdc verifies the tgt of the user and that user has access to the service then sends a valid session key for service to the client that's the response rep reports i guess we're just forgetting the s in there another app request why is it app request whatever i recommend you doing a diagram of active directory john active directories messaging i mean i feel like that i feel like we got that right here and obviously we're going to do some bloodhound stuff when we get down to it we've done a lot of learning and a lot of reading but i think we're going to boil down to some actual tangible technical content here the main ticket that you will see is a ticket grinding ticket and these can come in various forms like a dot kirby file or rubyus dot kirby file for rubius and a dot c cache file for impact those are different forms that you might see the main ticket that you'll see is a dot kirby ticket again we'll correlate that in our minds with rubius a ticket is typically a base64 encoded and then you can be used for various attacks the ticket grinding ticket is only used with the kdc in order to get service tickets so undefined ttv is making fun of me ticket ticket ticket ticket yeah yep especially when you say ticket credit ticket once you give the tgt the server gets the user details session key and all of those things yes kubernetes no domain access required oh oh oh so these are things that we could do and these are um what level of access we might need to be able to do those things so if we're trying to enumerate with curb route you could literally just you're you're just guessing if you're using kerber you're literally just hammering at the door and trying to see if anything comes back so you don't need any sort of access to do that you're just straight up guessing you could pass the ticket but you do need a domain user to be able to try pass the ticket kerber roasting again uh accesses any user required would you not why would you not need a domain user for that do you not need a domain user for that my i'm stupid as web roasting access as any user golden ticket full domain compromise you would need domain admin um or yeah silver ticket you need a service hash skeleton key full domain compromise domain admin required i would totally need to just sit down and memorize a lot of this not gonna lie to start this room deploy the machine and start the next session on enumeration with curb route this machine can take up to 10 minutes to boot well it's a good thing we just sat here and did nothing just read for forever and up to five minutes to ssh already wait a second it takes five minutes to rdp into the machine all right let's uh let's do our homework here what does tgt stand for uh rickroll apparently as i've decided to type on my keyboard ticket granting ticket smackdown spn service principle network you guys didn't believe me when i was uh you guys didn't believe me when i was a speed reading all of this but clearly i named service principal name da da da you guys uh clearly i i knew what i was absorbing because i'm obviously uh responding to all this uh what does pak stand for i i actually i don't i'm taking a complete guess nope stay in school kids do privilege attribute i was way off i was way off the pac man privilege attribute certificate all right i'm going to keep that in my mom my mind in my head privile attribute con context submit certificate certificate this is a lot of scrolling you guys are making fun of me now i know you're i know you're making fun of me all this all this thought that you thought that i had what is there is there a space that i need to have in there what the [ __ ] deploy the machine nah dude i can't do that one enumerate with kerbero let's stink and go all right what do we got here a lot of text curb root is a popular enumeration tool used to brute force and enumerate valid active directory users by abusing the kerberos pre-authentication ah for more information on enumeration using kerberos check out the attactive directory room by squookie from now on everyone should refer to skookie as spooky you need to add the dns domain name along with the machine ip address to etcetera hosts inside of your attacker machine or these attacks will not work for you freaking idiot stupid dumbo sudo nano etc hosts password obviously my password is password that's why i said it aloud guys abusing pre-authentication overview by brute forcing kerberos pre-authentication you do not need to trigger the account failed to log on event oh you do not need to trigger the account failed a logon event which can throw up red flags to blue teams really oh you don't you just straight don't okay when brute forcing through kerberos you can brute force by only sending a single udp frame to the kdc allowing you to enumerate the user's own domain from a word list ah [Music] so we should go ahead and swipe this tool kerbero i don't think i actually have a directory for it so let's create one in opt and then let's go steal this thing we have a couple releases um i'm going to want linux md64 hippity hoppity your code is now my property move that download into here um that is an executable is it not yeah let's blindly trust things that i just downloaded from a rogue github repository that i know nothing about um oh and i should probably move it into the directory that i wanted to put it in um dumbo dumbo dumbo i hope you guys are having fun i hope you guys are enjoying my pain all right so we got curb route and it's a thing it exists incredible okay okay great yep make it executable cool we already knew all that we're watching dumbo watching dumbo enumerating users allows you to know which user accounts are on the target domain and which accounts could potentially be used to access the network change directory in the directory that you put kerberos download the word list to enumerate here uh okay um you know what i'll buy it you know what i'll take 12. let's put actually let's put that here um words list where users they call it users.txt jam into the toonage right now okay so they use curb route user enum tactac dc and you paste that in paste that in value run says john we need to get monster energy drinks to sponsor your hack i super appreciate that i literally reached out to them i literally i literally emailed them and i think i've actually shown that on on twitter let me let me let me see real quick um actually forgive me i'm gonna i don't mean to completely derail but i want to try it twitter.com john hammond monster energy am i gonna be able to find it on github i don't think so oh excuse me on google i'm an idiot oh crap this is this is literally not important and i'm super duper sorry um um um i just i might just bail on this on this idea i tried is what i had responded to nope never mind bailing not important yeah you guys can do your internet cyberstalking and i'm sure you can track it down written says we'll find it yep okay curb user enum tactic dc controller.local attack d controller.localuser.txt so uh we need to specify domaincontroller itself i'm assuming the domain um techd and then user.txt actually use it here when we use curbroot we can see that here attack d for domain and tact dc for the ip address um so let's use curb root user enum uh and let's actually do this from location so i can use opt dc controller dot local tac d for domain controller controller.local and then we need user.txt um user.txt excuse me excuse me users plural with an s okay please do things vortex hayes thank you so so much for the follow you're the best is it doing it is it going how long is it supposed to take controller.localcontroller.local um let me let me do a quick you know what would help you know what would help you guys know uh what what do you guys know what uh would really would really help let me tell you what would really help uh it's really nothing it's not it's not a whole lot it's not really important it's not really all that necessary um but if you run it again then it should work i'm gonna leave i'm gonna go i'm gonna quit [Laughter] uh for those of you that missed i just i just i just connected i just connected the vpn that's all all right how many users have we got here how many users how many valid usernames do we got let's check it out uh i am going to paste this in the sublime text hit uh control a to select everything and then ctrl shift l to create multiple um cursors and then move around with the control arrow keys so i can move by word so i can cut stuff out so needs to know how many users did we find we found 10 what is the sql service account name uh sql service appropriately named you can submit that what is the second machine account name uh machine 2 also appropriately named what is the third user account name now i'm gonna go on a limb here i'm just gonna take a guess this is just an educated guess but maybe it's user three holy crap i can see the future what's next now we're doing rubius bro so i have um i have used rubius in osap and it is absolutely necessary for offensive security experience penetration tester and considering that i have that certification one might think that i'm actually a relatively decent experienced uh penetration tester i'm not i'll be the first to admit it just takes me a little bit of learning just takes me a little bit of thinking just takes me a little bit of a experimentation but we're sshdn you know rubius is a powerful tool for attacking well kerberos rubius is an adaptation of the cacao toy develop a tool developed by harm joy the very well-known active directory guru that's correct he's a he's a smart cookie rubius has a wide variety of attacks and features that allow it to be very versatile tool for attack and kerberos just as many of the tools and attacks include overpass overpass the hash whatever ticket requests and renewals ticket management ticket extraction harvesting pass the ticket as we're roasting kerber roasting the tool has way too many attacks and features for me to cover all of them so i'll only be covering the ones i think are most crucial to understand how to attack kerberos however i encourage you to research and learn more about rubios and the whole host of attacks and features here rubius has already compiled an on the target machine cool um just for my own uh smarticles i want to make sure that i do actually have a copy of rubius so if you go to the github repository you can check out the releases and there is a very very recent one oh actually august 2nd is this already compiled or is it just gonna give me the source code um you might have to compile itself i think there are a handful of tools that you can find like ghost pack compiled binaries yeah this is a ghost pack compiled binaries and it'll just give you the updated ruby's okay and that actually has it from nine days ago so i'm assuming that's gonna be the latest version um i'm gonna download that just so i have it and i'll make a directory for rubios i'll move that here so it is a mono assembly um do i have il spy cmd i don't is it going to tell me the version number regardless no let me let me see if it all just displayed anywhere ruby is ruby as ruby's ruby is rubious not gonna give me version number i don't care that much not gonna lie let's get back to what we were doing yep yes oh sharp collection probably has it from flangvik good call nightwolf thank you so much he keep track of what the six minutes ago flying vic bro are you online right now are you watching the stream i really like melvin update that no one asked for having a monster energy drink with dinner was not actually a good idea totally agree ridden house all right let's log in we are logged in so let's move into downloads which is we do know oh god i'm in command prompt god i want to die we have rubio.exe so if we were to use rubio.exe you could harvest and look for tgt6 uh ticket running tickets every 30 seconds um i should really be taking notes on this room i i kind of created this readme and i didn't really do much with it so kerbero oh he has up with azure pipelines talked about in a recent stream nice that's pretty awesome yep yeah uh someone folks you could just switch to you could just switch to powershell if you wanted to john like that's a very very very valid point um whoa whoa so the thing about curb route that we should keep in mind is that this does not require any local account access you could just do that as any user is the takeaway and then we could brute force potential users and that was kind of slick um you could harvest tickets with rubio so now we're getting into rubius harvesting tickets so let's do that rubius harvesting tickets with rubius so the syntax was dot slash rubius.exe and then it was harvest and it was slash interval colon 30 i believe so every 30 seconds and can i control l to clear my screen no i can't stupid can i class slap that in i am not in powershell why am i not in powershell i still can't use control oh i can use control l now oh and i've seen that we should have done we should have been in powershell along did you make any challenges for activity con this year absolutely eclipse yes i made i think like 25 challenges for activity con this year i thought i almost think more than half of the challenges are mine or i don't know nightwolf is saying hey i'm heading out thanks so much make sure john doesn't fall asleep on stream there's the potential there we go rubius is firing up excited for activitycon thank you so so much uh if folks don't know anyone that's tuning in and listening you should go register for activitycon let's see did we get any uh did we get any new users don't show the game oh no this is actually fine we got like a couple new users not a lot go register go play okay so rubius should be going oh and there he goes we caught it right in time he found a ticket um now this is not outputting to a file um i would really like it to we see a controller from controller one but oh we also see an administrator controller let's is that a local user no administrator at controller.local controller one which we know is the domain controller right are these tickets the same mdmx zero fm mdmx zero fm yep we got a few more controller controller controller administrator these look like they're gonna meet the dc yeah yeah okay rubios can both brute force passwords as well as password spray account use user accounts gsm okay rubius you do you buddy when brute forcing passwords you use a single user account and a word list of passwords to see which accounts work with that given user account in password spraying you give a single password such as password one and spray against all the found user accounts the domain to find one which may have that password nice this attack will give take a given kerberos based password and spray against all found users and give a dot kirby ticket this ticket is a tgt ticket granted ticket that can then be used in order to get service tickets from the key distribution center in kdc as well as used in attacks like pass the ticket before passwords playing with rubios you need to add the domain controller domain name to the windows file hosts file you can add the ip and the domain name to the host file from the machine by using the echo command you just redirect it in just like that okay this is essentially doing the same thing that we did for the et cetera hosts file in linux but now we're doing it on windows uh windows stores it in c windows system 32 drivers etc host so slap that in uh and let's type or cat that out now just to verify oh what the funk oh it's probably adding the stupid new line god i hate windows yeah it's at it etc hosts there we go can i not can i not i can't there we go it did not add that because i was very likely in windows oh no no in linux i i literally forgot the s that's why if he sec ify sec lfy said i'm not positive has redeemed a highlighted message says hey john i've been doing ctf for a while and tomorrow i'll start my first cyber security job nice congratulations my friend that's fantastic congratulations um oh swedish mask is telling me for to use slash uh out file hashes when necessary yeah congrats dude everybody's in the chat loving it up dude rev it up for liftysek i'm sorry i'm butchering your name but congratulations dude that's fantastic congratulations person yeah powershell is stupid you can't control you i agree i have butchered this etc hosts file now apparently and i and i'm really upset so i i can't do a quick and easy edit in that um so i'm just gonna rdp into it and try and fix that crap but i don't know if that's a local yeah it is iral james thank you thank you for gifting all these things you're incredible uh xerox lenser is asking what's the best note-taking app in linux personally i really like obsidian that's just me um bravo charlie i think someone changed the password on pseudobox and activity pregame um [Music] good call i don't know if that is a shared container or not i will have to go review thank you for letting me know um anyway cmd command prompt why is it so slow i can't zoom in because this is garbage whatever let's just forget notepad this notepad c colon windows uh system32 drivers etc hosts hosts all right let's fix this friggin nonsense 10 10 10 16 191 and then controller dot local there we go let's keep rdp open uh in case we need it but i really don't want to have to use that because it's disgusting uh mlf is looking into it thank you thank you so so much okay um with that said once we have that set you can move into downloads and then use rubios brute with a given password and then no ticket this will take a given password and spray it against all found users and then give the dot kirby ticket for that found user oh i i i so let's steal that syntax again but it is just brute and then the password pass and very command line-esque way so uh slash rubius hello what the [ __ ] where did my rubius go where is defender on the defender just kill rubius we checked let me check this no no it's off what cloud delivered protection though automatic sample submission you just ate rubius dude i'm really upset it's it's it did say one found one threat found yeah can i see my threat history nice dude all right let's submit a bug report to try hack me uh excuse me excuse me ben excuse me skitty excuse me dark yes sir i'd like a bug bounty please bounty please sir i have found a bug and i request 40 crypto coins anyway let's just drag our rubius robius rubius script to the machine which is 10 10 16 191 i actually remembered that last time and it's in users administrator downloads and it needs the password which is a bunch of stupidly speak so i forget that i don't want to type it out permission denied excuse me do i have a space oh i have a space rubios there we go rubius is back all right so rubius brute password one and then no ticket right um that is the syntax that is the password they wanted me to use right password yep just one do it uh it didn't work ruby sodium password password one slash no ticket um [Music] i feel like i feel like something else should have happened there if i if i ping the domain controller do you know what you are you do you do know what you are is that what we're supposed to do i i think i what domain admin do we get a ticket for when harvesting ticket just the administrator right what domain controller do we get a ticket for when we harvesting tickets controller one but we should have found machine one but i didn't am i doing that wrong am i doing that wrong no the chat is just as weirded out as i am rubius is a little too sensitive with the ticket formatting i don't know well that the room tasking didn't ask me for anything about that so if anything i have learned that that i can do that now and that's really all that i need so okay okay okay we're continuing on in a new large section in this task we'll be covering one of the most popular kerberos attacks kerber roasting curb roasting allows the user to request a service ticket for any service with the registered spn i feel like i feel like the chat gets in the way i'm gonna cover the chat with nothingness there we go okay so i want you guys to be able to read am i still getting the tickets from earlier no was i supposed to halloween was i supposed to like keep keep toggling those for some reason or was i supposed to save them i don't know anyway you guys can scream at me if that works please um curb roasting allows the user request to service tickets can can you guys not change the um quality now for some reason one lightning stupid twitch could be a different version of rubios maybe that's it i don't know let's move on kerber roasting allows the user to request a service ticket for any service with the registered spn or service principal name and then use that ticket to crack the service password if the service has a registered spn that can be kerberostable however the success of the attack depends on how strong the password is and if it is trackable as well the privileges of the cracked service account to enumerate german roastable accounts i would suggest it to elect bloodhound to find all kerberostable accounts it will allow you to see what kind of accounts you can kerberos if there are domain admins and what kind of connections they have to the rest of the domain that's a bit out of scope for this room but it's a great tool for finding accounts to target oh they don't do any bloodhound in this room bummer that's fine in order to perform the attack we'll both you'll be using both rubios as well as in packet so you'll understand the various tools out there for curb roasting there are other tools out there such as kakao and invoke kerberos but i'll leave you to do your own research on those tools i've already taken the time to put ruby's on the machine for you yes i know kerberos will just dump the kerbros hash of any kerberos users it just friggin finds it it just does it let's let's take note of that kerber roasting with rubius so there's got rubius rubius ruby and then uh kerberos regime thank you for the redeemed message and cheers from the philippines thank you cheers from the us my friend okay kerberos just does it kerberos for the sql service incredible and that is the kirby file yeah it uses an ldap way to detect that it looks like and the controller of the http service okay cheers from hong kong excellent cheers from the us my friend cheers from chile oh you're the best guys cheers from the us choose from the united states okay so we grab it for the um sql service and that's what they get just as well and then they want us to copy this hash oh gross disgusting subtle um kerberos dot text let's try and clean this up because we really don't need this first part we also really don't need all of this white space and then we don't need any of these new line characters yeah so we have this big chunk and then we wanted to crack this with hash cap and create a modified rocky wordless in order to speed up the process you can download it here which is again this guy um so we'll store that we'll actually yeah let's just grab all this and we'll call that pass.txt apparently so hashcat keeps track of all the different modes and you just kind of have to know like what you're going to be looking for look at the big long wiki um if i want to look for a kerberos type this is it asrep unique auth has this structure let me zoom in super quick but that does that match what we have no curb 05 tgs and you can see that in the response here so if we could go look for that example the other one kerberos tgs so we do want one three one zero that's a little bit more of the explanation behind why they just uh chose that mode oreo bite is telling me oh there's a hash chart in the man page sweet uh i should keep that in mind thank you and then you supply tack a0 what is what is take a zero do i even have hash cat not gonna lie i don't think i do hash cat cat hat i am in a vm so it's kind of disgusting but i should probably actually you know use it so um let's make a directory for hashcat let's move it from the down hey thank you so so much for the bits mr crumbs you're the best collab cat would also be a better option ghost is chiming in you're totally right we should be using collab cat uh how do you get a github terminal i don't know what your phone i don't i don't know what you mean um hash cat that's it 7z e hash cat there's a lot of stuff it had to churn out there this is all of the stuff is hashcat just going to work hashcat.bin sh was it did i just like download the windows one or something hashtag sh oh not gonna lie i should really use collab cat and i see some folks asking about i mean yeah you could use you could you could apt install collab cat or excuse me you could app install hashcat but if you do that then oh boy oh boy collab cat makes it so clunky though collab cat is absolutely better you should absol everyone's telling me you should definitely use collab cat i wish i had a streamlined setup for using collab cat i've literally only used it once in in throwback and i was like this is incredible this is the best thing in the world um but go to the link below to open a copy of collab cat file and google collab click on run time change environment runtime and then hardware accelerator gpu all right let's freaking do this let's get smarticle here we go i know you can't read it because the chat's on the way but forgive me click on run time yep change runtime type yep gpu yep already set go to your google drive and create a directory called dot hashcat with the hashes subdirectory where you can store hashes uh am i see this is i don't like having to have to open this like within google drive that sketches me out because i don't want to show anything relatively important um whatever maybe i don't maybe i don't care let's just go to google drive we'll hide my face for a moment you don't have to x ghost is saying you don't have to go to google drive oh i think i actually have a dot hash cap file already in here i have a hashes and the rules subdirectory yeah hashes i just need to drop stuff in there you should probably not use your main google account while you're streaming if you're worried about leaking possible doesn't you're totally right irl james you got me you caught me red handed yeah yeah let's not let's not because it is it is is worried about uh tokens and stuff so let's just friggin apt install it i'll i'll i'll eat my words thank you so so much for the follow infosec house making not john google in a not john github account i totally should hashcat let's commit the the worst crime by installing hashcat from the repositories it's even worse than installing john the ripper from the repositories i feel so sinful [Laughter] i tell people all the time dude you should never install john the ripper from the repositories you should always be using jumbo john from the repo from the like github repo anyway what are we doing let's do some hash cat let's do some hash cat tac m13100 attack a0 um kerberos hash and then it needs to know the past.text okay uh um oreo says uh please tell me why not apt install hashtag so uh yeah i i guess i just i mean irl james is actually offering the point that i would actually argue against it's it's not always safer to get the source code and compile yourself because i think the uh repos are meant to be the more trusted and more and more reliable and safe option um but ilfisak again however i pronounce your name apt is not always updated uh that's that's the more i'm concerned with especially for john the ripper where you have practically nothing that um excuse me john the ripper would package with all the good stuff in the run directory why uh why are you worried hash file on line one token encoding exception no hash is loaded uh what's wrong what's the problem there octo many thank you so so much yeah that would be what fantastic and wonderful if you're willing to share the try acme script um kerberos hash.txt has everything that it's supposed to have kittens isix thank you so so much for the sub that sounds so twitch what is this error i'm token encoding exception no hash is loaded a tidbit oh mr crumbs has a really good thought um a tip that i learned a while ago that changed my life is that hash id tag jm will give you the modes formats to use with john and hash cat for the given hash that's actually incredible yeah you're right um thank you for all the effort you put in youtube it's one of my favorites thank you so so much bible clan member looks like random space in the hash it might be do you need to insert a hash in the kerberos hashtag text or have you already done that i already have um technop is asking um what pregame that is the activitycon ctf you should totally go play you should absolutely jump in um can we get john hammond to do twitch edating i am taken unfortunately um irl james is asking wait is he single no do i have spaces in this i [ __ ] do have space what the f why are there spaces in that oh my god uh slick puff stream what system are you running there 24 cores from crapstick yeah i have a threadripper not gonna lie um yes i had to do it but waiting for you to get affiliate thank you so much um see this is the this is the sketch because i'm inside of a vm i can tell it tactic force but i feel like it's just gonna get a it's just just gonna get a kernel panic everybody is telling me tac d1 what is that oreo by tac l find invite or hash cat attack l fine devices is that a thing i'm learning oreo cat protect detecting whoa whoa whoa capital i i follow is this what you're telling me to do attack i uh yeah hashtag doesn't play well with cpus right and i follow that uh low order bit is asking how did you get that dope command prompt this is uh the pure prompt in z shell so could i just tell it to use d1 except it might complain because it's a cpu yeah and it'll wind will it run with tac d1 cpu no i can tell it to force but it might just you know [ __ ] the box so let's do it anyway because it's fun and we're on stream don't cause a colonel panic please please don't colonel panic please don't blow up everything yolo you eat it you guys in the shot know what's up tactic force always works um it's actually not it's actually not starting it's actually not kickstarting what hashcat should be doing [Laughter] you guys are all worried about the stream dying oh oh there we go okay okay just crunches through it my password one two three number that goes the other way dude all right so we figured out the password great challenge everybody now crack that hash crack that hash you know it's like the extreme home over extreme makeover home edition like move that bus crack the hash uh impact releases have been unstable since 0.9 oh now we're just moving on to impact by the way we're just cruising uh let me take note of that before i forget um cracked password.text mypassword123 thanks hashcat let's go do some impacts do i actually have impact i do the question is what version am i using let's check the change log um this looks like 0.915 i've been having issues with hashcat inside wsl um i truthfully wouldn't want to use hashcat inside of wsl personally bono's tech thank you so so much for the follow arab is asking john did you install oh my z shell no i didn't actually i just installed the um syntax highlighting for the commands because i like that much yes but i am i am using the pure prompt in z shell thank you so so much walter for the follow okay they're telling me to use 9.91 i don't exactly want to so kerberos with impact is get user spns and we know that machine one theoretically had this password however we were not able to track that down and find it ourselves which is actually kind of frustrating and i don't know if i want to follow through with that oreo bite says seems like you need a cracking rate you can ssh into locally yes yes um yeah anyway sorry i was um you don't need root privileges for impact i mean it depends um anyway sorry i was distracted reading the chat what can a service account do after cracking the service account password there are various ways of accelerating data or collecting loot depending on whether the service account is a domain admin or not if the service account is a domain admin and you have control similar to that of a golden or silver ticket you can now gather loot such as dumping the ntds.dit file if the server account is not a domain admin you can use it to log into other systems and pivot or escalate or you can use that crack password to spray against other service domain admin accounts many companies may reuse the same or similar passwords for their service or domain admin users if you're in a professional pen test be aware of how the company wants you to show risk most of the time they don't want you to excel trade data it'll set a goal or process for you to get in and show risk inside the assessment kerberos mitigations uh strong secure service passwords yep yep yep don't make service accounts domain admins makes sense uh so we cracked the password for the sql service one let's do it for the http service one just as well um what we had done was get the http service kirby file hash am i am i saying that wrong am i am i misrepresenting that this is this is a kirby tgt let's just remove every single white space character die thank you so http service dot text we could just as easily use hashcat again on that http service and we'll let hash cat do its thing i know it's gonna wind actually never mind totally cracked it nice work so http service with summer 2020 http service and sql service nothing yep all right yeah how you guys doing in the chat how you guys how you guys having fun hanging out oh now we're doing azrip mitigations okay very similar to kurt roasting azeroth roasting dumps the kerba krb azrup 5 hashes of user accounts that have kerberos pre-authentication disabled unlike kerberosing these users do not have to be service accounts the only requirement to be able to as reprocessor is that the user must have pre-authentication disabled we'll continue using ruby's same as we have with kerber roasting and harvesting since rubius is a very simple and easy to understand command to azerbairos and attack users with kerberos pre-authentication disabled after dumping the hash from rubios we'll use hashcat in order to crack the kerba azrip5 hash gotcha there are other tools as well for azerbrushing such as ko and in packets to get npu users rubios is easier to use because it automatically finds as reproducible users where as with np users you have to enumerate the users beforehand and know which users may be as rep roastable uh rubius is already on the machine great sadik is asking hey john how are you doing i'm doing okay buddy thanks so much for asking it's jim i was like is your github repo mounted as an nfs um my nfs is mounted and i have a github repo in it if that's what you're asking during pre-authentication the user's hash will be used to encrypt a timestamp that the domain controller will attempt to decrypt to validate the right hashes being used and is not replaying a previous request after validating the timestamp the kdc will then issue a tgt ticket granting ticket for the user if pre-authentication is disabled you can request any authentication data for any user and the kdc will return encrypted tgt they can be cracked offline because the kdc skips the steps of validating the user is really who they say they are ah okay so ruby's makes this incredibly easy by literally just running as a rep roast so let's take note of that so that is just rubius.exe and then literally azrap roast as rep toast if you know what i'm saying uh clear the screen please do it already found stuff okay ldap makes it super easy it found admin 2 as an as restable as rep a bull as rip roast as rep roast available user same thing with user 3 so admin 2 is going to be much much more interesting um we could realistically just do the entire process that we now know from what we just did so let's remove all the white space and then do uh we'll call this admin admin 2.txt oh i named that wrong let's move admin to with an actual x in txt file uh abracadabra says i'm lost i'm just studying a little bit by little to program a baby practically but i'm having fun well thanks so much i appreciate you jumping in and and hanging out um we also should grab user three because i'm going to assume that they're going to ask us for that let's also remove all the white space in that and let's call that user3.txt and as oreobyte had told us we could just man hashcat and see the mode uh will it give me the mode chart do i just have to search for like chart or list uh where is it oh there it is wait on here so a bunch of hash types does it give as many examples as the wikipedia page no it doesn't bottom it's down there yeah i see it i just you know i like having the examples that i could quickly search for uh you're good you're good i was just uh curious so we can we can just use this one uh if we look again for kerberos as we had previously we have the curb five as rep and that was 1820 curb five as wrap there are a lot of these curb five paw but cat as representation so that should be 18 200 yeah so let's use that let's use 18 200 on our admin 2 and see if we can get that to work oh look he said thank you so so much signature is unmatched for that mode so that was clearly wrong we want curb 5 azrap what was wrong with that that's literally it e type 23 is that what's missing um what mode are they using no they're using 1823. oh you have to insert why i mean i get it you know i'm not gonna whine i'm not gonna complain but i'm gonna whine and i'm gonna complain so we add the 23 in there okay go figure this out and be like i'm done finish it in a second did it all for you thank you so so much for the gifts up guys seriously i do mean it let's see if hashtag can do its thing done cracked nice and easy there's the password displayed right there so what hashtag does azerup roasting use which user is vulnerable so yes user 3 and that was admin 2 admin password was this let's do it for the user it should be user3.txt um and hash type that as reps we're using it's kerberos uh i see it here kerberos 5 e type 23 is is that what you're asking for ew where is it is that not discussed in here what specific format are you looking for kerberos kirk five something type 23 remove the comma well i mean removing the comma it's still missing a word somewhere in here let's let's check the man page for hashcat and see if it will just tell us for 18 200 that we did just use a we did just use 18 200. did we not 18200 it's literally not found on the main page okay that's not helpful whatsoever as rep um it's in the screenshot uh kerberos 5 as review type 23 i follow i follow i just don't like it there you go okay so what is the uh what is his password password three so user three's password was password three donzo dunzo dunzo passed the ticket with mimi cats we got another hour let's do it thank you everyone for telling me look at the friggin screenshot john i appreciate that now we can finally use mimi cats so mimikatz is very popular and powerful post exploitation tool uh mostly commonly used for dumping gives your credentials inside of an active driver network however we'll be using mimikatz in order to dump a tgt or a ticket grinding ticket from elsa's memory this will only be an overview of how to pass the ticket attack works as try hackme does not currently support networks but it does now i challenge you to configure this on your own network ilfisak says hey this community is one of the best in cyber security not only for the content that john hammond does but for the support of everyone together helping us thank you so much oh that's super sweet guys i love you thank you thank you thank you how do we still have 150 people hanging with us that's that's absolutely insane we're just goofing um all right you'll run this attack on the given machine however you'll be escalating from a domain admin to a domain admin because the way the domain controller is set up you know what i dig it we can we can deal uh pass the ticket works by dumping the tgt or the ticket grinding ticket from the lsas memory of the machine the local security authority subsystem service lsas is a memory process that stores credentials on an active directory server and can store kerberos tickets along with other credential types to act as the gatekeeper and accept or reject the credentials provided you can dump the kerberos tickets from the lsus memory just like you can dump hashes when you dump the tickets with me me cats it will give you a kirby file again the rubius representation which can be used to gain domain admin if a domain ticket is in the lsas memory [Music] this attack is great for privilege escalation and lateral movement if there are unsecured domain service account tickets lying around the attack allows you to escalate to domain admin if you dump a domain admins ticket and then impersonate that ticket using mimikat's pass the ticket or ptt attack allowing you to act as that domain admin you can think of a pass-the-ticket attack like reusing an existing ticket but not creating or destroying tickets here or simply reusing an existing ticket from another user on the domain and impersonating that ticket that's a long read anyway we've got mimi cats so meme cats is going to require administrative command prompt we have the credentials it's stored in the downloads folder and privilege debug will patch and kind of modify our lsas memory access and then we can use secure elsa and tickets export to export all the kirby tickets into the record that you're currently working in at this step you can see all the base64 encoded tickets from rubius that we would have harvested earlier all right let's do it so we'll get back into our ssh we've got our boy mimi cats here and we'll use privilege colon colon debug is that right um or is it colon debug uh i'm stupid no no no no privilege colon colon without spaces i don't have these memorized let's help my head okay cool we've uh used the privilege to patch that memory access and then we can use secure elsa secure curls however you want to say that and i think it's tickets it said and then slash export nice that's a lot of stuff okay uh let me ls the current directory and now i have a bunch of stuff present did it eat me me cats oh no it just didn't show okay so we got a crap ton of stuff stored in memory and one of these is going to be a different administrator user right so i am currently running as administrator but i want a different administrator uh we all have these dot kirby files um which is the one that i want oreo bite is still asking is windows defender on nope we turned it off uh swift liege thank you so so much super appreciate you subscribing um it's gmo says we want 15.95 okay that gives us the administrator at the kerberos ticket grant ticket and a controller so let me read about why we would want that one they tell us right out here when looking for which ticket to impersonate i would recommend looking for an administrator ticket from the kerberos ticket granting ticket just like the one outlined in right above techno pizza saying if this would be a real hack and a silent situation this would be dang noisy yeah now that we have our ticket ready we can perform a basic pass to ticket attack to gain privileged uh domain admin privileges you can use kerberos pass the ticket to run this command inside of mimikatz with the ticket you've harvested from earlier it will cash and impersonate the given ticket ugh that is an absolutely disgusting file name so i'm going to simply rename that real quick if that's totally cool with you let's just move that to uh dot kirby oop i literally called it kirby uh hello hello kirby kribby kirby admin kirby the furby hello what did you do did the ticket not did not do it why kirby hello why are you not moving it yes i know it's dot kirby with an i um oreobite is asking are you running powershell on linux i am ssh into the victim target uh yeah titanokai i know i was i was i was memeing the file does not want to be renamed um is that because it's not owned by me because it's like it used me me cat's elite hacks i don't know how are they validating that they are who they say they are now that they're using k list so callus right now tells us that we're the administrator administrator administrator at our current host but if we were to go use mimi cats meet me me cats and then privilege colon colon debug let's use kerberos kerberos ptt and then the name of the ticket so slap in this thing okay it should theoretically be loaded and then if you were to exit out of me cats now run k list we should see that we have nothing new oh no no no we have this curb ticket is that different from the server that we had previously why is it why is it not why is it not showing me that did i did i not literally just use kayla's oh it just completely clobbered it okay dang i really would have liked to have seen if there was a like definitive difference in what i'd done like i'm sure that i did i'm sure that i it is it is different but that would have been nice to have the sanity check to verify this we can look at the admin share oh that's a good idea so let's go to 1010 160 or 16.191 admin wow wow so we can read the adventure note that this is only a proof of concept to understand how to pass the ticket and go gain admin the way you approach using the password may be different based on the kind of engagement you're in so don't take this as a definitive guide of how to run the attack yeah no i follow uh in osep for the offensive security experience penetration tester i actually use rubius to perform the pass the ticket attack because they have a slash ptt argument and then it makes it pretty handy and nice and easy um and because mimi cats is often you know lights up it's pretty risky so uh i used rubius previously i understand how it works let's talk blue team how to mitigate these type of attacks don't let your domain admins log into anything yeah yeah just don't use a computer anymore guys i mean realistically this is solid this is sound advice i'm making fun of it but um don't let your domain admins log into anything except the domain controller absolutely zero trust buzzword artificial intelligence machine learning deploy cryptocurrency as part of your domain controller mimikatz is very popular and powerful post exploitation tool most commonly used for dumping user credentials inside of an active directory network however we'll be using mimi cats in order to create a silver ticket nice a silver ticket can sometimes be used in engagements rather than a golden ticket because it's a little more discreet if stealth and staying undetected matter then a silver ticket is probably a better option than the golden ticket however the approach to great one is exactly the same thank you so much for following circles retweet circles rt i i said retweet out of out of you know till kind is meaning yeah if you have a local admin on any box you can access all the tickets so if a domain admin is logged onto your box um stuff's messed up and he approves is that a thing is there a hacking room where you can make the box mine crypto no i think that's i think that would be very frowned upon personally just my opinion i could be wrong i'll have to ask kitty hey darkstar bounty please that will be funny though minecrypto on the attack box yeah no no no no nope key difference between the two tickets that a silver ticket is limited to the service that is targeted where a golden ticket has access to any kerberos service specific use case for a silver ticket would be that you want to access the domain sql server however your current compromise user does not have access to that server you can find an accessible service account to get a foothold with by kerberosing that service you can dump the service hash and impersonate your tgt in order to request a service ticket for the sql service from the kdc allowing you access to the domain sql server i need a drink standby we're good we're good pinpointers sponsor in order to fully understand how these attacks work you need to understand what the difference between a krb tgt and a tgt is a krbg gt is the service account for the kdc the key distribution center that issues all of the tickets to the clients if you impersonate this account and create a golden ticket from the krbgt you give yourself the ability to create a service ticket for anything you want a tgt is a ticket to a service account issued by the kdc and you can only access that service to tgt is like from the sql service ticket that sentence did not make any sense yep moving on gold and silver attack did the music stop have we have we exhausted all of the music options i think we have start again oh all right a golden ticket attack works by dumping the ticket grinding ticket of any user on the domain this would preferably be a domain admin however for a golden ticket you would dump the krb tgt ticket and for a silver ticket you would dump any service or domain admin ticket this will provide you with the service domain admins account sid or security identifier that's a unique identifier for each user account as well as the ntlm hash you can then use these details inside of mimikatz to create a golden ticket attack or to create a tgt that impersonates the given service account information okay so yeah if we were to use elsa dump elsa inject name krbtgt so dump the hash as well as the security identifier or the sid needed to create a golden ticket to create a silver ticket you need to change the slash name to dump the hash of either a domain admin or a service account such as the sql service account ah okay okay so we do this all in mimi cats let's let's let's do it um because i am running out of steam so let's get to it golden silver ticket attack with mimi cats and let's just steal the syntax here and i have a question from ghost in the chat who's asking john did you make the commonplace challenge so check this out if we go to any challenge in the activity con ctf it's a little author tag and anything that says john hammond is made by me i'm teasing i'm teasing i'm not trying to be a jerk i'm not trying to be a pretentious [ __ ] but yes that's one of my challenges so let's have some fun you guys you guys want to actually uh have a little tease i hope you don't mind let me uh let me do something wacky let's move into activity con 2021 yeah yeah also let's move into uh the jeopardy challenges folder because you guys want to see some magic magic really really interesting stuff let's do a python 3 library list and then we can list for any event that we might want to be hosting uh obviously we're hosting activity con 2021 uh right now we're working with the pregame and i'll show you some behind the scenes elite stuff so this is us listing out all of the material that we might use or the challenges that have been set up for the pregame um we display this in a little rich chart so you can see the status of whether or not it's been in development etc um the name the display name category vulnerabilities that are present and the author and what event we might have it in for so pretty cool so those are some things with that said if we turn this to raw mode and we can pipe the count we can see how many challenges that we have in here 27 yeah yeah yeah spiders getting freaked out hide the what hide the vulnerabilities now dude these challenges are already already up in a bit uh i will however not show you what you will see for the official game but i will show you how many challenges we have uh currently 53. now currently currently 53 currently 53 challenges for the official game maybe more from the time uh when the time comes with that said um we also can see what sort of categories we might be up against i'll just give you i'll just give you a little bit of a tease i'll give you a little bit of a i'll get up a little bit of a leak um matt i'm surprised you're still hanging with us m alpha let's see how many uh challenges in each category you might be interested in we see a significant amount of seconography challenges uh a whopping zero um and these numbers are are subject to change obviously right but um matt had a solid question hey how many challenges are in total in this library let's uh remove the entire uh event filter and let's do a w count a word count this is going to take a long time to return never mind almost 500. almost 500 challenges in our library so uh hire me hire us give us money pay us just just let us host ctfs for you but you you have to pay us [Laughter] so we got we got a we got a significant amount of uh training value that we can bring to the table so you guys thought i was joking around you thought i was kidding you thought i was just joshing little did you know all right i should actually do this friggin gold and silver ticket attack we're doing this all with mimi cats right so we're cheesing um but let's fire up miki cats kakeo i kind of just want to walk through the motions right now i'm not gonna lie let's use elsa dump and then pour things out for uh elfie sec how much to host for ctf depends on a lot of things we have a cost calculator um but depending on like hey if you want to run like 60 challenges for a weekend the number goes up uh not going to lie very very truthfully we i think we gauge we we aim to make it a a reasonable price for a organization you know like for for a company um that that we'd like to we'd like to be putting this on for stuff for for teams and businesses that want to like amp up their security chops so all right we found the sid for the user leo desney thanks so much for the follow welcome everybody thank you so so much for the gift subs ghosts you are throwing them out there and i super appreciate it thank you thank you thank you um anyway let's do a gold and silver ticket attack so we know the we we should be able to figure this out right we have all the pieces now because we were able to find the sid so the sid carib gt and the id where's our sid had our syd displayed up here there is a post and user voice for twitch that is asking to put cyber security as a category on twitch says mr chrome yes i voted for that um and i think we should have everyone else vote for that just as well okay this is the command for creating a golden ticket to create a silver ticket put a service ntlm hash in the krbt slot the city service account in this kid and change the 80 to 11 to show a demo of creating a golden ticket it's up to you to create a silver ticket oh follow okay so id 500 and the krbd tgt is what we need to put in there that needed an ntlm hash did it not yeah so the ntlm hash we display oh shoot we did that for this guy we want it for sql service do we not um oh we need to use inject right yeah so if we want the ntlm hash of this guy that's what we'd slap in there correct and the administrator ntlm hash we do the exact same thing oh for administrator and that will return their antelope hash perfect um and we could create a golden ticket by adding those things in there oh i won't run that syntax but you can see that present there you just slap in the krbdt hash the ntlm hash that we just saw and the id for 500 being the admin administrator mr crumbs thank you so much for for sending the link yes uh see crons is asking is this xfce yes i am using xfce uh blackwing is my domain is asking is this privileged escalation to get a domain controller yes um we're right now doing some gold and silver ticket stuff with me me cats failing at it but having fun you could use a silver ticket to work with a service account um and they actually discuss how you could use other machines in here miscm command prompt will open a new elevated command prompt with the given ticket any media cats that will require you to have rdp that will require to use actually remote desktop protocol uh wow 1800 votes on that uh user voice forum on twitch that's fantastic we should absolutely get more on that because i would love to create a category for that okay kerberos back doors with mimi cats whoa oh this is skeleton key okay let's read through this and let's start to wind this thing down along with maintaining access using the gold and silver tickets mimikatz has one other trick of its slaves when it comes to attacking kerberos unlike the gold and silver ticket attack kerberos backdoor is much more subtle because it acts similar to a root kit by implanting itself in the memory of domain forest allowing itself access to any of the other machines with a master password the kerberos backdoor works by implanting a skeleton key that abuses the way the ask requests valids validates encrypted timestamps a skeleton key only works using kerberos rc4 encryption the default hash for me cat skeleton key is this which makes the password mimi cats thanks so much for hanging out hex it great to hang out with you this will only be an overview section will not require you to do anything on the machine however i encourage you to continue yourself on other machines and test using skeleton keys and mummy cats we should play with that sometime soon yeah uh luffy second saying hey look the time for the machine you just have 25 minutes you should add an hour i think we're just about to wrap this up not gonna lie we're at the very very end here hey scene films doing great okay yes mimi cats can do this after privileged debug um skeleton key with mimi cats you can use miss skeleton and then it does it wow okay if you access the forest now you can use the default credentials mimikats by using the admin share of the domain controller user administrator the share will be accessible without the need for the administrator password that's awesome dir with any machine account mimi cats easy that's crazy cool the skeleton key will not persist by itself because it runs in memory however it can be scripted or persisted using other tools and techniques that are out of scope for this room i think the mayor the i think joe helly the mayor put some stuff on that he had a recent youtube video that showcased some of that i i don't know exactly what he covered so in fact let's find out before i go to youtube i will uh have my screen um and then let's look to see what he recently updated joe hello he's got his wonderful uh powershell for pen testers course did he recently upload i don't see it oh no i thought it would have been i thought i saw it somewhere but maybe i'm wrong if you were to blog on it or maybe did something but meh doing some like domain persistence for maintaining access to an entire act entire compromise active directory pretty cool pretty awesome let's check out the conclusions goodness there's a lot of reading and resources we've gone through everything from the initial enumeration of kerberos dumping tickets past the ticket attacks kerber roasting azeroth roasting and planting skeleton keys and gold and silver attacks yeah there's a lot this is kind of a fire hose right encourage you to go out and do some more research on these different type of attacks and really find what makes them tick and find the multitude of different tools and frameworks out there designed for attacking kerberos as well as active directory attacks as a whole yep i agree i'd like to tinker with this more but this was a very very fun walkthrough you should know the basic knowledge to go into engagement and be able to use kerberos as an attack vector for both exploitations as well as privilege escalation know that you have the knowledge needed to attack kerberos i encourage you to figure out configure your own active directory lab on your own and try these out trushall redeemed a message hi hello thanks for coming say hi everybody uh blackwings as my name is asking is this a paid room uh it sounds like only subscribers can deploy virtual machines in this room that's a bummer a lot of good resources very very good stuff let's hit completed here and that is the end of that room goodness i've been hanging out for a long long time hanging out for an hour and 40 minutes for that for that room on its own it's recording we somehow got a two complete streak now because we were across two days that's really funny and uh that is done that is finished we can wrap that up i will uh probably tune out on the recording and then for the stream fellows and friends and folks uh we can start to wind this thing down but thanks so much for hanging out everybody uh youtube everyone say goodbye to youtube goodbye youtube see you later youtube we'll see you in the next video probably the next day probably whenever thanks for hanging out youtube bye youtube look at the chat little saying i love you goodbye youtube son nani bits thank you mr crumbs what a way to end it

Info

Channel: John Hammond

Views: 29,149

Rating: undefined out of 5

Keywords:

Id: lfosOfFfD_g

Channel Id: undefined

Length: 101min 23sec (6083 seconds)

Published: Wed Sep 15 2021