Attacking Active Directory

Attacking Active Directory - Kerberoasting

Рет қаралды 37,500

Күн бұрын

Kerberoasting is an extremely useful attack method to establish persistence, lateral movement, or privilege escalation in a Windows Active Directory environment. This attack is caused by a user requesting a TGS for an account, typically a service account, that has a Service Principal Name (SPN) associated with it. An attacker could then use the TGS which is encrypted with the service account's NTLM password hash to crack the hash offline.
This video uses GetUserSPNs.py from Impacket.
Join my new Discord server: discord.gg/9CvTtHqWCX
Follow me on Twitter for updates: / 0xconda
If you found this video helpful and would like to support future creations, please considering visiting the following links:
Buy Me a Coffee: www.buymeacoffee.com/conda
Check out Impacket: github.com/SecureAuthCorp/imp...
00:00 What is Kerberoasting
05:06 Kerberoasting Setup in Lab
07:40: Kerberoasting Demo
12:21 Kerberoasting Mitigation

Пікірлер: 57

@plugandplayreviews 3 жыл бұрын

CONDA is the best infosec KZbinr of all time. Respect bro!!

@c0nd4 3 жыл бұрын

Thanks so much!

@ElCyberWizard Жыл бұрын

I’ve been working on my GPEN cert and your content has been very helpful with tying everything together at the end of each section!

@randomguy3784 2 жыл бұрын

Neat and Comprehensive presentation! Great work man.

@c0nd4 2 жыл бұрын

Thank you!

@Xx-nd1rs Жыл бұрын

I like the way you explain things, very simple, clear, informative, organized and get to the point. thanks a loot!

@c0nd4 Жыл бұрын

Thank you!

@offlife77 2 жыл бұрын

Awesome mate, keep them coming!

@Stephanus21 Жыл бұрын

Thank you , just started to watch your stuff and you do an amazing job of showing and explaining exactly how it works , thank you so much!

@c0nd4 Жыл бұрын

Thank you!

@dawnS33ker Жыл бұрын

Very clear and concise video. Thank you Brandon,

@x7331x 3 ай бұрын

Great on-point explanation of the attack 👏

@chrislearnsIT 2 жыл бұрын

Thanks for the high quality content! I just subscribed.

@c0nd4 2 жыл бұрын

Thank you!

@crash9706 3 жыл бұрын

Yesss more AD. Love the content. Keep it up ❤️

@c0nd4 3 жыл бұрын

Thanks! I appreciate it

@harshil. 2 жыл бұрын

Great video bro definitely enjoyed it the whole way through. I'm sure this video will get a bunch of traction now that AD is on the OSCP lmao

@c0nd4 2 жыл бұрын

I appreciate it!

@morality1995 2 жыл бұрын

I'm literally watching this video prepping to take the new OSCP exam lol

@csheldon3636 Жыл бұрын

Excellent video. A lot easier than the OSCP explanation.

@DanEather 2 жыл бұрын

Great vid. Clearly presented. Thanks!

@Eggsec Жыл бұрын

Thank you for the valuable information much appreciated.

@jcgm666 2 жыл бұрын

Very good explanation! Subscribed

@c0nd4 2 жыл бұрын

Thank you!

@teedeearr 11 ай бұрын

I found this very informative. Thanks

@ca7986 3 жыл бұрын

You are awesome mate! Gold videos. ❤️

@c0nd4 3 жыл бұрын

Thank you! Really appreciate it

@quentingauthier430 3 жыл бұрын

Dude, you make awesome videos

@c0nd4 3 жыл бұрын

Thank you! I really appreciate the support

@grandmakisses9973 3 жыл бұрын

Let’s go, I love ad vids

@c0nd4 3 жыл бұрын

Me too! Can't wait to do more

@real.xplo1t 3 жыл бұрын

Perfect explanation

@c0nd4 3 жыл бұрын

Thank you!

@vikassrivastava2058 Жыл бұрын

Great content

@heibai0139 Жыл бұрын

Great video, much helper than OSCP 23' course materials, appreciate

@aahringer Жыл бұрын

Well done! Thank you!

@jaylal4899 2 жыл бұрын

Very good video! It's much easier to understand kerberoasting with a practical example. Any chance you can make a video on how to compile windows kernel exploits using Visual Studio?

@GodlyTank 11 ай бұрын

Thanks a bunch for this

@enleak 3 жыл бұрын

Lets goo!

@Umar0x01 3 жыл бұрын

Best!!!

@aahringer Жыл бұрын

Thanks!

@c0nd4 Жыл бұрын

Thank you so much! Very kind of you!

@ajayk643 2 жыл бұрын

Subscribed :) :)

@quad7375 9 ай бұрын

can you go over more AD attacks, golden ticket, silver, dc sync, etc

@danielriofrio199 Жыл бұрын

Hey! I was wondering if you could explain something to me please: Per MITRE ATTACK definition of kerberoasting: "Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials." This will result in windows log eid 4769 with encryption type 0x17. Is this the only time that this is dangerous? Only if this type of encryption was used? Working on a SIEM alarm to detect potential malicious kerberoasting :)

@adamraserovaquera 5 ай бұрын

11:18 A question here, how can yo know that what etype you are searching for is the TGS-REP 23 and not lets say... the TGS-REP 18 that its at its side?

@underrated_mono9770 9 ай бұрын

If hostname of the SPN "DC-1" is replaced with another hostname, does it affect the Kerberoasting operation here?

@matiashuartamendia7977 9 ай бұрын

is it really NTLM hash inside the service account? I think that RC4 etype encrpytion of that password is equal to NTLM Hash, but AES-128 or AES-256 is completely different. Hashcat would take a LOT of time to decrypt it if password is strong enough.

@DinoDulayAwil 2 жыл бұрын

Does the tool execution leave some footprint on the server for detection?

@DinoDulayAwil 2 жыл бұрын

I understand it requires a compromised account (normal account will do), can we use other abuse technique that does not require one? A different vector somehow. Thanks.

@c0nd4 2 жыл бұрын

The most common way I've seen this vector detected is from SPN enumeration. If you made a request to list all SPNs, some EDR programs may catch it.