Attacking Active Directory - AS-REP Roasting

Рет қаралды 17,249

Күн бұрын

Пікірлер: 33

@aahringer Жыл бұрын

You videos are exceptional thank you so much for taking the time to create these! It's evident that you know your stuff and as such are able to provide the information in a clear and concise way.

@c0nd4 Жыл бұрын

Thank you for the awesome feedback! Glad you're enjoying the videos

@deetee1779 3 жыл бұрын

Hi Conda, you explain very clearly, I don't have any AD experience but I was able to understand this video with no issues. keep up the great work!

@c0nd4 3 жыл бұрын

Thank you so much!

@monzerkamal1175 3 жыл бұрын

you have a great content, I looking forward for your upcoming videos.

@c0nd4 3 жыл бұрын

Thank you so much!

@harshil. 3 жыл бұрын

Another great video thanks again!!!

@huyvuquang2041 3 жыл бұрын

Thanks. Very clear explanation

@hexatrace 3 жыл бұрын

Nicely Explained. Thank You !!!

@WizardKing24 3 жыл бұрын

Amazing video, thanks!

@sul3y 4 жыл бұрын

Thanks man Your contents are very useful.

@c0nd4 4 жыл бұрын

Thanks! I appreciate it 😁

@VishnuPriyaThammina 2 ай бұрын

Insightful!

@cysecstud9714 2 жыл бұрын

Awesome video!!

@balanceandjustice777 3 жыл бұрын

The content is on fire!!!!!

@c0nd4 3 жыл бұрын

Thank you! 🔥🔥

@haroonrehman8156 2 жыл бұрын

Very Well-Explained Good Content Just Like TCM-Security

@ian230187 3 жыл бұрын

Hey there.. excellent video..between 02:14 to 02:20... I am trying to understand something...AS REQ has the time stamp encrypted the users password which is then decrypted by the AS in the KDC to verify the timestamp.....AS REP contains TGT and some data encrypted with the users password.... If our intention was to obtain just the users password, why not brute force the AS REQ instead of the AS-REP....Am i missing something here?

@c0nd4 3 жыл бұрын

Great question! The AS_REQ is sent by the client. So the client would be the one performing that timestamp encryption with their password. Since we are the client in this case and we don't know the password, we cannot perform this encryption action. This is the reason that we need to target an account with Kerberos preauthentication disabled. Hope this helps to clarify!

@ian230187 3 жыл бұрын

@@c0nd4 still a bit confused..so if i am an attacker, and client is sending as_req which is timestamp encrypted by the user password...why cant I get target this and crack the password....

@c0nd4 3 жыл бұрын

You are the attacker and the client. You aren't intercepting a request that the client makes, you are essentially "impersonating" the client. But you cannot prove you are the client by encrypting a timestamp with the client password, because you do not know it. So the only way for you to get the client's hash as an attacker is to find a client that doesn't require that encrypted timestamp (preauthentication), then you can send an AS_REQ without that encrypted timestamp. When you receive the TGT in the AS_REP, it will be encrypted with the NTLM hash of the client's password. We can then crack this. This is the first and know time in the process that the attacker will see something that is encrypted with the client's password hash. The encrypted timestamp is never sent at all because preauthentication is disabled.

@hz1056 3 жыл бұрын

@@c0nd4 Hey question, Comp sci major here studying for OSCP soon. I was under the impression that most encryptions standards are quite high now with AES, 3des and RSA. How are these password hashes getting cracked. They should be salted as well? This would take a quite strong computer and too much time to decrypt any hashes.

@c0nd4 3 жыл бұрын

By default the TGT is encrypted with RC4 which is a weak algorithm. Even these other hash types can be cracked with enough resources. The hash rates on modern graphics cards are impressive, especially when used in parallel.