1
00:00:00,120 --> 00:00:02,700
Let's pull off this Kerber roasting attack.

2
00:00:02,700 --> 00:00:08,010
So we're going to use get user SPF ends so get user SBN.

3
00:00:08,040 --> 00:00:10,520
You should be able to auto tab complete that.

4
00:00:10,710 --> 00:00:16,560
And now again all we need is that username and password from a domain account.

5
00:00:16,590 --> 00:00:24,780
So marvel that local we're going to say f castle here and password one we need to know the Domain Controller

6
00:00:24,780 --> 00:00:25,420
IP.

7
00:00:25,440 --> 00:00:33,330
We're going to specify that with DC dash IP like this and we're gonna say 1 9 2 1 6 8 57 140 or whatever

8
00:00:33,330 --> 00:00:37,020
your IP address is and do a dash request.

9
00:00:38,820 --> 00:00:39,420
There you go.

10
00:00:40,320 --> 00:00:43,160
So already very quick is how this happens.

11
00:00:43,170 --> 00:00:48,190
It just comes down and it provides us the hash here.

12
00:00:48,240 --> 00:00:50,690
So we requested that T.J. yes again.

13
00:00:51,060 --> 00:00:55,650
And we can take a look at this and you can see that what came down was a sequel service.

14
00:00:55,690 --> 00:01:03,500
Remember we did set that up and here it's going to give us this gave me our five T.S. hash.

15
00:01:03,540 --> 00:01:09,810
So go ahead and copy this and what we're going to do is we're gonna put this I want to put this into

16
00:01:09,840 --> 00:01:12,690
my hashes for same one I've been using and say that

17
00:01:16,740 --> 00:01:23,130
so we could do a quick hash cap to find the module to do dash help and we can do a graphic on curved

18
00:01:23,130 --> 00:01:30,690
arrows like this and we are after Kerber five ticket granting service to GSO 13.

19
00:01:30,690 --> 00:01:31,740
One hundred here.

20
00:01:32,580 --> 00:01:42,770
So what we'll do is we'll come into here and we'll just say similar to before Ash Kat 60 for EMC module

21
00:01:42,770 --> 00:01:50,980
of 13 one hundred hashes for text and then we'll do a rock you that text.

22
00:01:51,120 --> 00:01:55,900
Go ahead and hit enter after putting a capital O to optimize.

23
00:01:55,950 --> 00:01:59,340
And this should just take a second here as well.

24
00:01:59,340 --> 00:02:03,960
So we're going to let this run and then I'm going to give you a little spiel on this password.

25
00:02:03,960 --> 00:02:11,340
So this password is going to crack and it's going to crack as my password 1 2 3 4 or 1 2 3 pound right.

26
00:02:11,730 --> 00:02:16,950
And this is a 1 2 6 10 14 character password.

27
00:02:17,640 --> 00:02:25,200
So remember how I said that even though 14 character is like the minimum I recommend these passwords

28
00:02:25,200 --> 00:02:29,750
that use common word edge and just looks like this.

29
00:02:29,850 --> 00:02:31,710
It's it's not safe.

30
00:02:31,710 --> 00:02:37,740
This is a 14 character password and it felt so easily it's in rocket attacks Rocky was the base cracked

31
00:02:37,740 --> 00:02:38,120
list.

32
00:02:38,130 --> 00:02:38,860
Right.

33
00:02:38,910 --> 00:02:42,470
A good crack list can still crack a 14 character password.

34
00:02:42,600 --> 00:02:46,350
And like I said I've cracked a 19 character password before because it was a Bible verse.

35
00:02:46,350 --> 00:02:52,200
So if it's something well-known or easily gets a little like this and uses dictionary words chances

36
00:02:52,200 --> 00:02:53,190
are it's going to fall.

37
00:02:53,190 --> 00:02:54,860
So I just wanted to harp on that.

38
00:02:54,990 --> 00:03:00,060
But the bigger point is we have found the sequel service password.

39
00:03:00,060 --> 00:03:07,170
This is the sequel service domain password here and we already knew what it was because we discovered

40
00:03:07,170 --> 00:03:07,800
it earlier.

41
00:03:07,890 --> 00:03:12,540
But this is a domain am an account because it was set up incorrectly your service account should not

42
00:03:12,540 --> 00:03:15,330
be domain admin accounts but that happens all the time.

43
00:03:15,840 --> 00:03:18,480
So we look for these accounts with Kirby roasting.

44
00:03:18,570 --> 00:03:23,520
We try to crack these passwords and then we utilize these to access the domain controller access new

45
00:03:23,520 --> 00:03:25,490
areas even lateral movement.

46
00:03:25,500 --> 00:03:30,570
But this is a lot of the times considered vertical movement because it gets us right into a domain controller

47
00:03:30,840 --> 00:03:32,890
when these have incorrect permissions set up.

48
00:03:33,150 --> 00:03:34,320
So that's it.

49
00:03:34,320 --> 00:03:38,010
This is one of the most common attacks that you will see in a network.

50
00:03:38,010 --> 00:03:43,830
Once you get a credential at all you can try Kerber roasting and see if you can't get to password to

51
00:03:43,830 --> 00:03:46,230
crack and leverage that.

52
00:03:46,230 --> 00:03:50,400
So let's go ahead and talk about mitigations before we move on to some other attacks.