GetNPUsers & Kerberos Pre-Auth Explained

Рет қаралды 19,182

Күн бұрын

Taking a look at the Impacket GetNPUsers.py script and explaining a little bit about Kerberos pre-authentication.
Impacket: www.secureauth...
Kerberos RFC: tools.ietf.org...
My blog: vbscrub.com

Пікірлер: 67

@vbscrub 4 жыл бұрын

2:00 - Using GetNPUsers to get encrypted data 3:43 - Cracking the password in hashcat 5:12 - Explaining what makes an account vulnerable to this script 7:29 - LDAP query to find vulnerable users 11:04 - Wireshark capture of kerberos traffic when we run the script 15:05 - Explaining what kerberos pre authentication is 17:50 - Summary

@cbesc 2 жыл бұрын

Gold mine of a channel. The way you explain it takes me back to the 2600 quarterly days.

@flo97ist 4 жыл бұрын

Great Video, really looking forward to that active directory one. I like that you mention the real world relevance

@MohdAnees-rv7te 2 жыл бұрын

Your videos have lot of depth. It makes easier for me to remember as all put together make sense. Thank You and please keep posting more videos.

@isitreally 4 жыл бұрын

Great job man. I've always wanted to see how the bad configuration that we exploit actually looks from the other side. Looking forward to more of your videos. Cheers!

@mikemutter4521 Жыл бұрын

your videos are great! clear, understandable and precise! Thanks for the time you put into this its helping me get ready for the OSCP

@vbscrub Жыл бұрын

no worries, glad it helped

@georgegreen9145 4 жыл бұрын

Now that you explained it, it seems so obvious. In the HTB forums people gave the hint of using impacket. Most scripts l tried required the user's password and that put me off. Come to find out l missed out on this important script. Great video mate! More AD videos please

@vbscrub 4 жыл бұрын

yeah its one of those things that you either know about or you don't. The first time I had to use it on a HTB box I felt like it was pretty harsh as there's no hint that that's what you need to do. But I guess it teaches you to always just try these things anyway

@steps0x029a 4 жыл бұрын

Thanks for sharing this video! That really helped me understand why GetNPUsers actually works and how it looks like from the other side. Next up is your AD video, guess I'll learn quite a lot from that (as I don't know that much about AD). Thanks again, talk to you on HTB later

@tech0494 3 жыл бұрын

More videos please ❤️❤️

@mohamedraheem1050 4 жыл бұрын

Thanks bro. , so much informative . I would like to see more of this describing videos for CTF and exploiting tools and how it works

@vbscrub 4 жыл бұрын

Thanks and yeah there will be more videos like this coming soon :)

@cybersamurai99 3 ай бұрын

This was useful thank you

@pauliehorgan 4 жыл бұрын

Nice video, should explain to people why they are running that script instead of them just doing it automatically

@hxmo656 4 жыл бұрын

Really loved this video man, it helped me understand AD more and I finally understand the syntax for GetNPUusers lol. Definitely make another AD video on post exploitation to get DA ! Cheers

@ProCipher 4 жыл бұрын

I paused the video more than 3 times to give a like :) GJ & Thanks bro

@caiochaves9550 4 жыл бұрын

Great video!!

@ibrahimalnafisi432 3 жыл бұрын

Amazing. Thanks

@nopnopnopnopnopnopnop 3 жыл бұрын

Thank you!

@teamgoogle2713 2 жыл бұрын

Hi! Your videos are amazing and I'm glad I finally found someone who goes into as much depth as I need. You're brilliant, man. Never stop posting. You honestly leave no room for doubts because you're so detailed with everything and you have no idea how much an overthinker like me appreciates that. I just had one question, were you able to figure out how hashcat/john the ripper works behind the scenes to actually crack the password. I've been hammering my head trying to find that out but it's just a rabbit hole. Could you please help me out with this?

@vbscrub 2 жыл бұрын

I found out roughly how it works yeah. It looks for specific values in specific locations that are always the same once decrypted. So say the 10th byte in the data always has a value of 80 when the data has been decrypted, it can keep checking for that value after it tries every potential password in the word list and when it sees that value then it knows it has the correct password. Obviously its normally based on more than just one byte so that its more reliable but yeah that's basically it. If you look at the hashcat source code on github you can see the actual values it checks for are mentioned in a comment: github.com/hashcat/hashcat/blob/master/OpenCL/m18200_a0-pure.cl

@gizmet6467 4 жыл бұрын

This is perfect! thank you for the video VB! :)

@raghav7633 4 жыл бұрын

Amazing video. Paused in between just to subscribe and like. Hope to see more content. Just a suggestion you could start a series for noobs like me who just shifted their focus from linux priv esc to windows.

@vbscrub 4 жыл бұрын

Thanks :) I did do an hour long video introducing people like yourself to active directory so take a look at that one if you've not seen it already. Its called AD Basics

@MayankMalhotra-ig6vl Жыл бұрын

The best!!!!!!!!!!!!!!!!!!!

@stevieberg2540 4 жыл бұрын

Thanks for the video! Really helped for a Hackthebox challenge. Subscribed and will watch the other videos cause they seem interesting.

@vbscrub 4 жыл бұрын

cheers, glad to hear that

@dojoku88 4 жыл бұрын

thanks a lot VB. This is perfect!

@SP-hz5tp 4 жыл бұрын

Awesome! Please consider creating more of those explainations of common tools and techniques! Subscribed! P.S: Could you cover silver and golden tickets or some more Kerberos in general...

@vbscrub 4 жыл бұрын

thanks! and yeah that's a good idea, a quick video explaining golden tickets would be easy enough to do

@SP-hz5tp 4 жыл бұрын

VbScrub Nice! Appreciate it! :)

@CarricDooley 4 жыл бұрын

Great content! "Waffling on" was not a probem at all! =)

@swift87100 4 жыл бұрын

Great job dude!! You earned a subscriber!!

@CodeXND 4 жыл бұрын

Thank you ..very informative

@vbscrub 4 жыл бұрын

no problem :) more coming soon

@whitefighter5928 4 жыл бұрын

great job !

@jumpstep7085 4 жыл бұрын

damnit, Thats very surprising - I didn't realize it didn't reflect a real world situation. If not this, what do you think are the most commonly exploited Windows/Windows Active Directory vulnerabilities when it comes to getting a foothold?? Thanks heaps for the video @VBScrub

@CatSmiling 4 жыл бұрын

ty for this brah

@robinhood3841 2 жыл бұрын

2:24 when we specify valid user on the domain, dont we get more result compared to anonymous user? I mean i encountered ctf machines where i didnt be able to perform this attack unless i got a valid user on the domain which gives me access to more users

@soumyanilbiswas_reveng007 3 жыл бұрын

Sir, I'm still confused about AS-Rep roasting. We are capturing TGT and TGT is encrypted by krbtgt LT key. So after cracking hash should we not get the real passwd of krbtgt service account password rather getting user account passwords ?? When I saw your theory video, i saw that TGT is encrypted by krbtgt acc. passwd, but when I did practical in my home lab, I saw the same thing, that I got passwd hashes of users which has pre-auth disabled... What am I lacking ???

@dharanisanjaiy Жыл бұрын

See 19:12 timestamp. He is requesting hash for jsmith user so the KDC will encrypt the TGT key with jsmith's password. Thats y we can able to retrieve jsmith's pass. Whereas for other user, the KDC needs their password to encrypt thats why it showed error

@kasireddyvenki5421 4 жыл бұрын

good video bro

@westernvibes1267 4 жыл бұрын

Amazing work explaining why and when to use these.. i was so lost and confused by these tools. By the way can you tell how to extract gpp passwords when get access to sysvol shares? I mean you just search through it manually or is there any tool?

@vbscrub 4 жыл бұрын

there are tools that get the GPP passwords yeah. Just google it and you'll find some powershell scripts that do it

@nicksmith5654 4 жыл бұрын

Hey I can use your help! I'm trying to run GetNPUsers with a -userslist tag and end up here --> GetNPUsers.py: error: unrecognized arguments: -usersfile user.txt ... I can't seem to find -usersfile in the usage options --> usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target What do you think? Thank you in advance!

@frankdSda 4 жыл бұрын

what u do to run directly python script from cmd without use hearder line "python3 name.py" example! AND NICE VIDEO !!!!

@urnotalone69 3 жыл бұрын

the fun thing is that you explained all of this but forgot how to explain and to show how to download it xd

@lonixlon 3 жыл бұрын

so i guess hashcat tries to decrypt the data with all the keys in the wordlist untill non-garbage is returned?

@SnakePlissken1 2 жыл бұрын

Dude how did you get this to run on Windows? C:> is DOS??

@jonathancsoy 4 жыл бұрын

Well...still not working for me. The same error appears. Can you please write the sintax with in Linux?

@6cylbmw 4 жыл бұрын

I just tried what you said in the video (using the script with and without specifing usernames) on a htb machine, but it does not work when Im not specifying the username.

@vbscrub 4 жыл бұрын

depends which machine. On one of the currently live machines you can do it without specifying a username and it will find a result because anonymous logon has permission to view everything in AD. In another one you need the username because anonymous logon does not have permission to view the user account that has this option set, so the LDAP query the script runs will not find any results