Attacking Active Directory - AS-REP Roasting
Рет қаралды 16,418
Күн бұрынAS-REP Roasting is an extremely useful attack method to get an initial foothold in a Windows Active Directory environment. This attack is caused by Kerberos pre-authentication being disabled on a user account. A malicious user can abuse this to retrieve an encrypted TGT from the KDC and brute force the user's password offline.
Join my new Discord server: discord.gg/9CvTtHqWCX
Follow me on Twitter for updates: / 0xconda
If you found this video helpful and would like to support future creations, please considering visiting the following links:
Patreon: / conda
Buy Me a Coffee: www.buymeacoff...
Merch: conda.creator-...
Read more about Kerberos: software.intel...
@tradertrader2649 Жыл бұрын
HOw do i know if the kerberos pre-auth is disabled. is there a nmap script that can be used?
@haroonrehman8156 2 жыл бұрын
Very Well-Explained Good Content Just Like TCM-Security
@mepepega3191 Жыл бұрын
thank you!
@WizardKing24 2 жыл бұрын
Amazing video, thanks!
@hexatrace 2 жыл бұрын
Nicely Explained. Thank You !!!
@jerick347 Жыл бұрын
+1 sub!
@harshil. 2 жыл бұрын
Another great video thanks again!!!
@huyvuquang2041 2 жыл бұрын
Thanks. Very clear explanation
@aahringer Жыл бұрын
You videos are exceptional thank you so much for taking the time to create these! It's evident that you know your stuff and as such are able to provide the information in a clear and concise way.
@c0nd4 Жыл бұрын
Thank you for the awesome feedback! Glad you're enjoying the videos
@deetee1779 3 жыл бұрын
Hi Conda, you explain very clearly, I don't have any AD experience but I was able to understand this video with no issues. keep up the great work!
@c0nd4 3 жыл бұрын
Thank you so much!
@monzerkamal1175 3 жыл бұрын
you have a great content, I looking forward for your upcoming videos.
@c0nd4 3 жыл бұрын
Thank you so much!
@Xx-nd1rs Жыл бұрын
Amazing video, many thanks
@cysecstud9714 2 жыл бұрын
Awesome video!!
@sul3y 3 жыл бұрын
Thanks man Your contents are very useful.
@c0nd4 3 жыл бұрын
Thanks! I appreciate it 😁
@balanceandjustice777 2 жыл бұрын
The content is on fire!!!!!
@c0nd4 2 жыл бұрын
Thank you! 🔥🔥
@ian230187 3 жыл бұрын
Hey there.. excellent video..between 02:14 to 02:20... I am trying to understand something...AS REQ has the time stamp encrypted the users password which is then decrypted by the AS in the KDC to verify the timestamp.....AS REP contains TGT and some data encrypted with the users password.... If our intention was to obtain just the users password, why not brute force the AS REQ instead of the AS-REP....Am i missing something here?
@c0nd4 3 жыл бұрын
Great question! The AS_REQ is sent by the client. So the client would be the one performing that timestamp encryption with their password. Since we are the client in this case and we don't know the password, we cannot perform this encryption action. This is the reason that we need to target an account with Kerberos preauthentication disabled. Hope this helps to clarify!
@ian230187 3 жыл бұрын
@@c0nd4 still a bit confused..so if i am an attacker, and client is sending as_req which is timestamp encrypted by the user password...why cant I get target this and crack the password....
@c0nd4 3 жыл бұрын
You are the attacker and the client. You aren't intercepting a request that the client makes, you are essentially "impersonating" the client. But you cannot prove you are the client by encrypting a timestamp with the client password, because you do not know it. So the only way for you to get the client's hash as an attacker is to find a client that doesn't require that encrypted timestamp (preauthentication), then you can send an AS_REQ without that encrypted timestamp. When you receive the TGT in the AS_REP, it will be encrypted with the NTLM hash of the client's password. We can then crack this. This is the first and know time in the process that the attacker will see something that is encrypted with the client's password hash. The encrypted timestamp is never sent at all because preauthentication is disabled.
@hz1056 3 жыл бұрын
@@c0nd4 Hey question, Comp sci major here studying for OSCP soon. I was under the impression that most encryptions standards are quite high now with AES, 3des and RSA. How are these password hashes getting cracked. They should be salted as well? This would take a quite strong computer and too much time to decrypt any hashes.
@c0nd4 3 жыл бұрын
By default the TGT is encrypted with RC4 which is a weak algorithm. Even these other hash types can be cracked with enough resources. The hash rates on modern graphics cards are impressive, especially when used in parallel.
DRAMA PIE
Рет қаралды 690 М.
PT Product Update
Рет қаралды 4,4 М.
TROOPERS IT Security Conference
Рет қаралды 26 М.