1
00:00:00,250 --> 00:00:02,720
Let's talk Kerber roasting.

2
00:00:02,880 --> 00:00:09,650
So in order to talk curb roasting we have to understand how curb growth itself works.

3
00:00:09,660 --> 00:00:16,550
Now there is this great great info graphic here that will tell us how these things work.

4
00:00:16,590 --> 00:00:20,230
So here we have a domain controller.

5
00:00:20,260 --> 00:00:20,610
OK.

6
00:00:20,630 --> 00:00:25,020
In this domain controller is also known as a key distribution center.

7
00:00:25,020 --> 00:00:27,250
And we can call that a KDE here.

8
00:00:27,720 --> 00:00:36,300
We also have our user now our user is going to need to authenticate to the Domain Controller.

9
00:00:36,300 --> 00:00:42,870
When they do that they're going to say hey I want to request what is known as a ticket granting ticket

10
00:00:43,580 --> 00:00:49,000
I'm going to provide my until I'm hash and I'm going to request that ticket from you.

11
00:00:49,050 --> 00:00:56,370
Now the domain controller is going to send back the ticket granting ticket and it's going to encrypt

12
00:00:56,370 --> 00:01:01,230
that ticket with the cross ticket granting ticket hash.

13
00:01:01,800 --> 00:01:02,490
OK.

14
00:01:02,640 --> 00:01:08,190
What's important here is this KDE is holding the keys right.

15
00:01:08,220 --> 00:01:12,200
So we have to authenticate with the KDE that sends it back here.

16
00:01:12,210 --> 00:01:14,250
And now we have a ticket granting ticket.

17
00:01:14,250 --> 00:01:16,770
How did we get this ticket granting ticket.

18
00:01:16,770 --> 00:01:18,810
We supplied an anti-Islam hash.

19
00:01:18,810 --> 00:01:19,800
What does that mean.

20
00:01:19,800 --> 00:01:23,190
We have a username and a password.

21
00:01:23,190 --> 00:01:24,110
That's it.

22
00:01:24,240 --> 00:01:31,150
Any valid user doesn't have to be ab and does that to be anything any valid user gets this ticket.

23
00:01:31,150 --> 00:01:32,770
This is how Kirby Rosa works.

24
00:01:32,770 --> 00:01:34,370
This is the authentication.

25
00:01:34,540 --> 00:01:36,040
So we have Frank Castle.

26
00:01:36,100 --> 00:01:37,880
We have password 1.

27
00:01:38,050 --> 00:01:39,870
We have a valid ticket granting ticket.

28
00:01:40,450 --> 00:01:44,550
So from here now let's say we have an application server.

29
00:01:44,710 --> 00:01:45,810
This could be sequel.

30
00:01:45,850 --> 00:01:47,500
This could be antivirus.

31
00:01:47,530 --> 00:01:49,410
It could be whatever you want the application to be.

32
00:01:49,420 --> 00:01:52,900
We just have a service that we're trying to access.

33
00:01:52,900 --> 00:01:59,160
So this service here has what is called an escapee and that is a service principal name.

34
00:01:59,160 --> 00:02:01,150
And that's going to come into play here in just a second.

35
00:02:02,150 --> 00:02:09,290
But in order to access this service we have to first request a ticket granting service ticket or this

36
00:02:09,290 --> 00:02:09,810
is a T.J..

37
00:02:09,820 --> 00:02:10,250
Yes.

38
00:02:10,280 --> 00:02:11,030
OK.

39
00:02:11,030 --> 00:02:13,510
So we're going to request this T.J. Yes.

40
00:02:13,520 --> 00:02:15,080
And how do we request this.

41
00:02:15,080 --> 00:02:17,420
Well we present our TGT.

42
00:02:17,420 --> 00:02:20,220
So we've already got our TGT our ticket grading ticket.

43
00:02:20,270 --> 00:02:22,790
We're going to request a service ticket from the server.

44
00:02:23,210 --> 00:02:28,310
Well the server knows the server account hash.

45
00:02:28,310 --> 00:02:28,580
Right.

46
00:02:28,580 --> 00:02:31,730
And it's going to encrypt that and send it back.

47
00:02:31,730 --> 00:02:38,390
The server does not know if we the KDE or the server here does not know if we have access to the server

48
00:02:38,390 --> 00:02:39,020
or not.

49
00:02:39,020 --> 00:02:46,910
So it's just going to provide back to us the yes with the server account hash this is where crossing

50
00:02:46,910 --> 00:02:47,540
stops.

51
00:02:47,630 --> 00:02:54,050
However let's continue in order to authenticate that server in the real world or we would do is we would

52
00:02:54,050 --> 00:03:02,120
present that T S to the application server and that would then decrypt it using its own server hash

53
00:03:02,630 --> 00:03:08,810
and it would say yes you have authentication you are the user that is allowed on this or no.

54
00:03:08,810 --> 00:03:14,790
And then it's going to send back and say yes or no we don't need to ever send that out.

55
00:03:14,810 --> 00:03:16,050
This is not important.

56
00:03:16,100 --> 00:03:19,390
It's important to understand what's happening and why this happens.

57
00:03:19,490 --> 00:03:24,220
But the important part to understand here is we have a valid user account which gives us a ticket granting

58
00:03:24,230 --> 00:03:31,820
ticket steps one into with that ticket grinding ticket then we can request a service ticket for a service

59
00:03:32,330 --> 00:03:36,890
that service ticket is going to be encrypted with these servers account hash.

60
00:03:36,890 --> 00:03:38,600
Why does that matter.

61
00:03:38,930 --> 00:03:39,640
Well guess what.

62
00:03:39,640 --> 00:03:42,950
It's a hash we can decrypt the hash.

63
00:03:42,950 --> 00:03:47,660
We can try to crack the hash so we can run a tool.

64
00:03:47,660 --> 00:03:52,680
It's called Get user SBN stop pi guess where it's from impact.

65
00:03:52,700 --> 00:03:59,750
In fact it's awesome and we just say marvel that local Frank Castle password one we specified the Domain

66
00:03:59,750 --> 00:04:02,330
Controller IP and we request.

67
00:04:02,330 --> 00:04:04,160
So we're going to request this service ticket.

68
00:04:04,160 --> 00:04:05,210
Right.

69
00:04:05,240 --> 00:04:06,650
And guess what's gonna happen.

70
00:04:06,650 --> 00:04:09,430
We're gonna get this ticket granting service ticket here.

71
00:04:09,470 --> 00:04:11,910
It has the hash here.

72
00:04:12,140 --> 00:04:19,310
That's encrypted with and we're just going to copy this hash and try to crack it so we're gonna put

73
00:04:19,310 --> 00:04:26,360
this into hash at this big long hash so we get back and we're gonna crack it pretty easily.

74
00:04:26,360 --> 00:04:28,380
So that's what we're gonna do.

75
00:04:28,430 --> 00:04:31,270
Again quick refresher just to go back.

76
00:04:31,580 --> 00:04:33,980
We have our ticker grinding ticket.

77
00:04:33,980 --> 00:04:40,550
We request that from the KDE we get that because we have a known user account does not have to be a

78
00:04:40,550 --> 00:04:43,340
domain administrator account known user account.

79
00:04:43,790 --> 00:04:47,680
So once we get credentials we can attempt Kerber roasting from there.

80
00:04:47,690 --> 00:04:54,380
We request this ticket granting service ticket and it's gonna send that back to us and it's going say.

81
00:04:54,380 --> 00:04:55,130
Here you go.

82
00:04:55,130 --> 00:04:59,320
I'm going to encrypt it with the service hash and then we don't ever have to present here.

83
00:04:59,330 --> 00:05:02,240
We just take it and we try to crack that.

84
00:05:02,240 --> 00:05:08,590
So let's go ahead and do this hands on and you'll see this come up again a couple of times.

85
00:05:08,630 --> 00:05:10,600
So let's go ahead move on to the next video.