Its going to take me forever to get anywhere near this level of knowledge of all the systems and commands
@Stonekom Жыл бұрын
You better now?
@MarcusJGrey Жыл бұрын
@@Stonekom Honestly, yes. This guy has been invaluable to me, even if I have pivoted into a different direction. The stuff I learned fom this guys content had a tangible effect on where I am today.
@zzzzzzzzZzZZzzzaZzz Жыл бұрын
I would like to ask you, how is your situation now as an employee in the field or what?
@MarcusJGrey Жыл бұрын
@@zzzzzzzzZzZZzzzaZzz good though out of date by now. I pivoted into a different part of security
@MarcusJGrey Жыл бұрын
@@zzzzzzzzZzZZzzzaZzz My situation is pretty good and still in the security industry, though I pivoted into a different direction. I used what I learned from this and a few other channels, they certainly were foundational in where I am now.
@sw1mm2 жыл бұрын
I was doing the box last night. I finished it myself. I make a habit of then looking at writeups to learn anything new... going back to last night, I spent an hour going through they SMB shares manually. Good times.
@DavidThomsenPhD5 жыл бұрын
Could you one day do a video on how you set up your kraken box? I've been thinking about setting up something similar in AWS
@DavidThomsenPhD3 жыл бұрын
@IppSec
@Treegrower3 жыл бұрын
I think it's just hashcat running on a box with an Nvidia GTX 1080 installed. It's not too fancy to set up. If you want to learn how to use hashcat check out the HTB Academy tutorial.
@TalsonHacks3 жыл бұрын
@@DavidThomsenPhD dammit, you’re persistent
@armandkruger9113 жыл бұрын
I saw this misconfiguration in a environment and thanx for showing your approach , helped me create proper blue-team detection rules.. As well as creating a honeytoken account and just removing all the logon hours!
@wolfrevokcats78906 ай бұрын
9:01 smbmap -R (capital R is no longer in latest Kali version). Only -r (lowercase r) is available
@abhijeetbhattacharjee83313 ай бұрын
add --depth flag with -r and it works. smbmap -r Replication -H 10.10.10.100 --depth 10
@Abdelrazik9 күн бұрын
thank you
@zephyfoxy5 жыл бұрын
I just grabbed the flag thru SMB actually. Never did PSexec, but would have been fun to do it that way.
@brettnieman34535 жыл бұрын
So helpful, thanks a ton as always!! Was looking forward to this video from you! I'm in my OSCP labs right now and the Windows machines are definitely the hardest with the least info out. Thanks again!!!
@striple7655 жыл бұрын
windows boxes are pain in ass, im suffering too
@SudoSrijanАй бұрын
@@striple765 me too
@Xx-nd1rs Жыл бұрын
running bloodhound-python remotely in Linux would give the same result but thanks though for the great walkthrough!
@JeiPii5 жыл бұрын
For anybody getting an error with smbmap and updatedb make sure you are running root or sudo on the command.
@1stbong4 жыл бұрын
thaaaank you i feel like ive wasted days no i have on not providing the sudo command.
@joshuafranco79984 жыл бұрын
Just saved me so much time!
@kryptikmind49755 жыл бұрын
So complicated and advanced but it's very informative
@meelfella72225 жыл бұрын
hey what happend to the premire thing ?! found it helpful & cool that we could ask you questions!
@ippsec5 жыл бұрын
I do it when I'm around to moderate the channel/answer questions. I've been traveling for the past 2-3 weeks.
@scottrainville83035 жыл бұрын
This is why you don't use domain administrator accounts to run Kerberos services! The hash of any kerberos service account can be collected via the kerberoasting he does, so ideally every service account has a strong password and follows the principle of least privilege.
@wortug39364 жыл бұрын
hey there Ipp, I've got a question. How did you know that in order to decrypt the password you need to use the gppdecrypt program. I mean I know that you've done these boxes before, but even then, is it identifiable just by looking at it?
@ippsec4 жыл бұрын
Yes, it is the default way Group Policy stores passwords. Just seeing the password in Groups.xml in the SYSVOL directory tells me what it is.
@WinnnDG3 жыл бұрын
Hi @IppSec Do you mind if you can share the specs of your kraken ? I saw you were running 4 GPUs, does hashcat auto-detects these GPUs ?
@williamwatkins66694 жыл бұрын
Hi, I know this is an old video but since you are still active. Could you make the font larger in the terminal. I watch your videos on my phone and it's really hard to read. Great content though
@ippsec4 жыл бұрын
I’ve experimented with trying to make it readable on phones. Decided not to as when going into programs like GDB/Ghidra/etc large font makes it difficult in my computer too. I don’t really prepare enough to switch between layouts when recording so don’t think I’ll be increasing it anymore
@gurwindersingh-rs3sl5 жыл бұрын
I got results from smbclient and can even get into shares folder but smbmap didn't show anything not even shared folders. It says Access Denied. Why it behaves like that?
@shankaranarayana65684 жыл бұрын
same here
@shankaranarayana65684 жыл бұрын
clone the latest smbmap from git pip3 install --upgrade impacket or pip install --upgrade impacket Then it works fine now
@CS-pw3xy5 жыл бұрын
Great video, thank you!
@0xAaeld5 жыл бұрын
This box was pretty cool.
@caseylgoodrich5 жыл бұрын
I think on that dns issue on the windows box you could change the binding order on the nic but could be wrong
@milesorme94475 жыл бұрын
anyone in oscp should watch this video
@theedmbrewery62345 жыл бұрын
I am.. Love everything that ippsec does.
@XY-fw6oj5 жыл бұрын
indeed this is pretty cool. but way more advanced than oscp with regards the kerbroasting part, isnt it
@eshaanbansal91224 жыл бұрын
8:21, look below, its telling u which shares are open!
@theedmbrewery62345 жыл бұрын
I dont know what is wrong with this box, ive reverted the box and typing smbclient -L //10.10.10.100 -N to list shares but it doesnt give me a list of shares. It says protocol negotiation failed: NT_STATUS_CONNECTION_RESET.
@tohsaka11734 жыл бұрын
How would one go about with the Bloodhound step using kali instead of windows?
@ippsec4 жыл бұрын
You should really just use Windows. It may be possible to do something similar within impacket, but there are just too many bugs when doing this many types of RPC Calls.
@tohsaka11734 жыл бұрын
@@ippsec Alright will do, thank you very much for your quick response!
@tigermelissa5 жыл бұрын
That's odd, I was able to psexec (the .py version from impacket) to Admin perms with the SVC_TGS. Still a great BloodHound tutorial though!
@huaweimate20pro525 жыл бұрын
What's the hardware specification of your kracken machine
@sowhatsupeirik5 жыл бұрын
Last I heard he had 4x 1080s. Might be upgraded since.
@Phaas035 жыл бұрын
Yeah you can see when he initializes hashcat that it recognizes 4 1080's. That's the dream right there lol
@lololol1125 жыл бұрын
when I scan using the same nmap command (-sV and -sC) it says all ports are filtered and doesn't give any version information :/
@kalidsherefuddin2 жыл бұрын
Thanks
@vonniehudson5 жыл бұрын
What's the difference between xargs grep and just piping to grep?
@yurilsaps4 жыл бұрын
there are some commands that dont work just with pipe, try google it
@user-tmtien9 ай бұрын
Hello, i want to prevent from using ldapsearch or other tools to enumeration ldap on Domain. can you guide me how to prevent it?
@zauthentiqz-_11882 жыл бұрын
I did this box without bloodhound I just did kerberoasting after I got the password.
@striple7655 жыл бұрын
wondering that how this box is an easy one lol, i have to watch video 3 times in a row in order to just understand what is even happening. Anyways thanks for the video #windowsBoxesSucks
@jithinjacob22015 жыл бұрын
That's awesome..
@susnoname3 жыл бұрын
Anybody knows why I do not see groups.xml file? Neither when I list files/directories using smbmap nor when I am searching for file itself: smbmap -R Replication -H 10.10.10.100 -A Groups.xml ?
@ddmiller20093 жыл бұрын
add the depth switch as TongaRoots mentioned above "smbmap -R Replication --depth 10 -H 10.10.10.100"
@ernestassimutis62394 жыл бұрын
What if smb is still complaining with NT_STATUS_INVALID_INFO_CLASS listing \* ? Thanks
@Claymore403 Жыл бұрын
Just one thing: how can you tell that the administrator is kerberoastable by watching the graph in bloodhound ? Cause I see you've got the node admnistrator and the node dc.active.htb.
@chefsputnik15 жыл бұрын
Is it possible to connect to the windows machine from Linux, as a non admin user, having the password in plaintext, without RDP enabled?
@ippsec5 жыл бұрын
That’s a lot of stipulations. It is possible in bad configurations, ie powershell remoting
@chefsputnik15 жыл бұрын
@@ippsec Thank you ippsec. It just seems odd to a windows newbie's perspective, that we have several pass-the-hash tools, but no pass-the-pass :)
@TenPester5 жыл бұрын
I full screened this at 07:30 before leaving for work, fell asleep at the computer, and woke up with the fear cause I thought it was 11:04am. Forgot I full screened it lol
@SuperMarkusparkus5 жыл бұрын
hahaha :D
@CBas-4 жыл бұрын
Hello IppSec! man, got hooked with hackthebox, fantastic way to learn about pentesting, trying to clear all the easy ones first and then move on into harder stuff. I have been getting the same error over and over and for some reason i don't find an answer to it, when i run ms17_010_eternalblue to try to gain access to a windows box i always get the same message: [*] Started reverse TCP handler on 10.10.15.10:4444 [*] 10.10.10.161:445 - Connecting to target for exploitation. [+] 10.10.10.161:445 - Connection established for exploitation. [!] 10.10.10.161:445 - Target OS selected not valid for OS indicated by SMB reply [!] 10.10.10.161:445 - Disable VerifyTarget option to proceed manually... [-] 10.10.10.161:445 - Unable to continue with improper OS Target. [*] Exploit completed, but no session was created. Hope you see this, Thanks for what you do man.
@ippsec4 жыл бұрын
That script connects to 445 and enumerates the version (target os) prior to throwing the exploit. It sees the os isn’t compatible with target and exits. Try it on Blue
@Dave-ll2fm3 жыл бұрын
any ideas why dns recon keeps maxing out my ram, then overflowing into swap memory and completely freezing my Linux vm? I have upped my ram on my Kali VM to 16gigs and whenever I run dnsrecon it keeps using more and more ram until it maxes it out and completely freezes the virtual machine until I shut it down and start it up again. This can't be normal can it? Appreciate all the videos!
@susnoname3 жыл бұрын
the same for me and after some time I get killed my smb connection and I get: [*] Performing Reverse Lookup from 10.0.0.0 to 10.255.255.255 Killed my smb works fine until I run dnsrecon
@Dave-ll2fm3 жыл бұрын
@@susnoname I can't remember how I fixed this but I did. I think I reinstalled Kali from scratch. Actually, I think first I downloaded an older version of dnsrecon from github and used that instead. I think reinstalling Kali from scratch worked for fixing the current version for me though. I can't remember for sure.
@susnoname3 жыл бұрын
@@Dave-ll2fm thanks ! I will try github as reinstalling is something what I really don't want to do.
@cvija9975 жыл бұрын
This box is one in the row i couldn't resolve (:
@Reality_mind095 жыл бұрын
Getting a user on this was pretty easy , but root was way difficult if you dont have AD exp :-)
@alebored17105 жыл бұрын
nmap scan says all ports are filtered for me with same setup
@pratikshetty31233 жыл бұрын
getadusers asking for import version tried many way but didn't get results yet
@abhishekchaudhari9705 жыл бұрын
I failed to get root ☹️ Thanks for the video ippsec 😊
@frankkesel72525 жыл бұрын
I think there's a way to specify DNS in sharphound
@frankkesel72525 жыл бұрын
Awesome video . ur the boss
@swift871005 жыл бұрын
Could you make a walkthrough on smasher ? I want to see your approach to it.
@ippsec5 жыл бұрын
I plan to do it around Christmas time.
@studenciakjpg6020Ай бұрын
Hi can u send link to video where configure Bloodhound?
@ippsecАй бұрын
Why not search Ippsec.rocks for bloodhound and choose one of the first videos
@d1gBR5 жыл бұрын
holy shit.... 4 1080's....
@theedmbrewery62345 жыл бұрын
smbmap -H 10.10.10.100 works fine. Why is this happening?
@shankaranarayana65684 жыл бұрын
clone the latest smbmap from git pip3 install --upgrade impacket or pip install --upgrade impacket Then it works fine now
@iANTVpublicbrothers5 ай бұрын
Hold me accountable yall!!!
@huaweimate20pro525 жыл бұрын
Very difficult
@r0tx4644 жыл бұрын
hello dear, I have been trying to enumerate Kioptrix1 (which is running samba 2.2.1a) using "smbclient -L host", however, I'm getting NT_SATATUS_IO_TIMEOUT error. I looked at the Wireshark output, I found out that the server (Kioptrix) is not responding to the "Negotiate Protocol Request" packet sent by the client. Please I need your help! Thank you in advance.
@albo004 жыл бұрын
For anyone getting "Authentication Error" when running smbmap. There are some python packages that need to be installed/updated. See "Install Requirements" section at github.com/ShawnDEvans/smbmap
@karanbhayani55714 жыл бұрын
Hey, thanks for that, had been getting that error. I installed the requirements and it still won't work. Still get the same error, any ideas?
@albo004 жыл бұрын
@@karanbhayani5571 did you install the requirements as sudo?
@gushorz5 жыл бұрын
Do you solve machines in a VM? If so , why?
@adishinde5 жыл бұрын
i though this box was boring
@mobileaccount78655 жыл бұрын
Try Offshore
@frankkesel72525 жыл бұрын
-DNSServer 3.2.1.1
@Saw-o3h4 жыл бұрын
can you speak little bit slowly? :-)
@susnoname3 жыл бұрын
you can change it on YT video, I am not native, he speaks pretty good not too fast no too slow, just perfect