Attacking Kerberos - I have just completed this room! Check it out: https://tryhackme.com/room/attackingkerberos #tryhackme #Kerberos #Active Directory #Exploitation #Windows #Privilege Escalation #mimikatz #rubeus #kerbrute #Impacket #Kerberoasting #AS-REP Roasting #Golden Ticket #Silver Ticket #Kerbrute #Pass the Ticket #Attacking Kerberos #windows #attackingkerberos via @RealTryHackMe

I thought I had a nice way of detecting #Kerberoasting looking at an event ID and the protocol being RC4 and requestor not ending with $… Nope… #orpheus @ben0xa

https://www.trustedsec.com/blog/the-art-of-bypassing-kerberoast-detections-with-orpheus/

And why am I reading about #WDAC and #Kerberoasting on a Saturday evening? If anyone knows, please let me know cause I have no clue at all.

Ringing in Black Friday by landing a domain controller in my OSCP lab. Pivoted through three machines to get here, but I've arrived! I'd like to thank my friends: mimikatz (an outdated version), autorecon, an unpatched web app with default creds, crackmapexec, certutil, reg save, john, kerberoasting, OneNote, vscode. The list of tools goes on and on. :---) #OSCP #mimikatz #autorecon #crackmapexec #JohnTheRipper #Kerberoasting #pentesting

I have a client that is a royal pain to get any proper maintenance for security or upgrades for security scheduled, but thinks they are secure cuz they have, MFA, Sophos and users pass phishing tests.

I took one look at their AD and network and laughed at how pwnable it was.

Today I got back the results from the internal #GreyBox #Pentest and low and behold... #Kerberoasting #passthehash and a bunch of other shit I've been trying to get permission to fix.
I guess I'll get that scheduled now 🤣🤣🤣

Bypassing #Kerberoasting detections by using TrustedSec’s new #Orpheus tooling.

This changes the request for the juicy SPN you’re after so that the Kerberos options (0x40810010) and
ticket type (RC4 0x17) are no longer used and therefore detected🔥 :thisisfine:

To counter this, create and alert on “Honey SPNs” and hope that the attackers query one of these instead - these accounts should never be queried.

https://www.trustedsec.com/blog/the-art-of-bypassing-kerberoast-detections-with-orpheus/

Demo
https://youtu.be/SwbSq1dTz7Y

#DFIR #BLUETEAMTIPS #activedirectory

Why do we still pick easy to guess?

#Kerberoasting with #Impacket #GetUserSPNs.py #Hashcat -m 13100 #passwords #Kerberos