Understanding Kerberoasting

preview_player
Показать описание
Kerberoasting is the attack that keeps on giving for adversaries and penesters alike. First documented in 2014 by Tim Medin, Kerberoasting is a tactic that can be used after an initial compromise to gain access to alternate accounts in an Active Directory domain.

It typically involves an attacker issuing a series of LDAP queries to a Domain Controller in search of user accounts that possess a value known as a Service Principal Name (SPN).

If this value is set on an account, an attacker can request a service ticket (ST) for the identity, which is encrypted with the account’s NT hash. This service ticket can then be cracked offline by the attacker, which, if successful, will allow them to retrieve the cleartext password of the account.
  1. risk3sixty
Рекомендации по теме
Learn Active Directory 0:22:05

Learn Active Directory Kerberoasting

Understanding Kerberoasting 0:14:23

Understanding Kerberoasting

Attacking active directory 0:06:17

Attacking active directory | kerberoasting

Kerberoasting Explained 0:04:41

Kerberoasting Explained

Kerberoasting Explained | 0:11:15

Kerberoasting Explained | Kerberos Authentication | Active Directory

How Kerberos Works 0:02:19

How Kerberos Works

Attacking Active Directory 0:13:22

Attacking Active Directory - Kerberoasting

Kerberoasting Attack Demo 0:06:43

Kerberoasting Attack Demo

Advent of Cyber 0:54:30

Advent of Cyber 2024 - Day 15: Active Directory | TryHackMe | CyberPranava

Kerberos Simplified - 0:04:16

Kerberos Simplified - CISSP Exam Prep

AS-REP Roasting & 0:10:17

AS-REP Roasting & Kerberoasting | Simple Explained

Attack Tutorial: How 0:04:25

Attack Tutorial: How the Kerberoasting Attack Works

⚠️ Don't Get 0:03:12

⚠️ Don't Get Roasted! Understanding Kerberoasting Attacks on Your System

Top Active Directory 0:40:01

Top Active Directory Attacks: Understand, then Prevent and Detect

OSCP Guide to 0:18:07

OSCP Guide to Kerberoasting - Active Directory

Kerberoasting 0:38:58

Kerberoasting

Hacking Active Directory 5:16:30

Hacking Active Directory for Beginners (over 5 hours of content!)

Advanced: Kerberoasting Fundamentals 1:52:37

Advanced: Kerberoasting Fundamentals

Kerberoasting - what 0:17:15

Kerberoasting - what can we really do

Emulating and Detecting 0:38:21

Emulating and Detecting Kerberoasting | Red Canary

SIEGECAST: Kerberoasting & 1:10:52

SIEGECAST: Kerberoasting & Attacks 101

Active Directory Kerberoasting 0:08:23

Active Directory Kerberoasting Attack: A Technical Deep Dive #activedirectory #kerberoasting

0709 Understanding Service 0:03:20

0709 Understanding Service Principal Names SPNS

SpecterOps Webinar Week 0:42:07

SpecterOps Webinar Week Kerberoasting Revisted

Комментарии
Автор

great video, this was exactly what I needed. Thanks

obadiahbridges
Автор

‏ ‏‪11:17‬‏ using machine accounts instead of an AD service accounts is a bad practice.. each service running in this context on the server will have the same password, and more importantly if an attack gains local admin rights on the server he has full controll on the service as well. Adding the fact that you cant enforce policy with AD and use restrictions.. this is not a good advice, actualy the best mitigation you forgot to mantion is to add the domain service account to gMSA - Group Managed Service Accounts. This will automaticly set a strong random password and rotate it automaticly as well as other hardenings on the service account itself

MMNTUM