- 22
- 264 583
VbScrub
United Kingdom
Приєднався 8 сер 2019
IT security and software development tutorials, and the occasional Hack The Box machine
Hack The Box - Intelligence
Finally back to doing some HTB machines and first up is this medium difficulty Windows machine called Intelligence. It involves some basic scripting to brute force file names from a web server, taking advantage of the default DNS zone permissions in AD, and getting the password from a poorly configured GMSA.
Videos mentioned:
Kerberos explained - ua-cam.com/video/snGeZlDQL2Q/v-deo.html
Twitter: VbScrub
Web: vbscrub.com
HTB: www.hackthebox.com
00:00 nmap scan
00:54 Web server enum
02:04 Scripting PDF file downloads
07:32 Getting usernames from PDFs
10:32 Finding users with specific password
12:30 Exploring SMB with new creds
14:01 Adding DNS records to force NTLM auth
18:35 Capturing & cracking NTLM auth
21:00 GMSA enum
24:22 Getting password from GMSA
27:20 S4U kerberos delegation attack
30:20 Fixing clock skew error
31:06 PTT and get root flag
Videos mentioned:
Kerberos explained - ua-cam.com/video/snGeZlDQL2Q/v-deo.html
Twitter: VbScrub
Web: vbscrub.com
HTB: www.hackthebox.com
00:00 nmap scan
00:54 Web server enum
02:04 Scripting PDF file downloads
07:32 Getting usernames from PDFs
10:32 Finding users with specific password
12:30 Exploring SMB with new creds
14:01 Adding DNS records to force NTLM auth
18:35 Capturing & cracking NTLM auth
21:00 GMSA enum
24:22 Getting password from GMSA
27:20 S4U kerberos delegation attack
30:20 Fixing clock skew error
31:06 PTT and get root flag
Переглядів: 2 526
Відео
Kerberos Silver Ticket Attack Explained
Переглядів 16 тис.2 роки тому
I'm finally back and continuing with the Kerberos videos I promised you ages ago. This time we're looking at the silver ticket attack, which lets us pretend to be domain admin for a specific service. Here are the previous videos I mentioned: Kerberos explained: ua-cam.com/video/snGeZlDQL2Q/v-deo.html Kerberoasting: ua-cam.com/video/xH5T9-m9QXw/v-deo.html Golden ticket attack: ua-cam.com/video/o...
Hack The Box - Remote
Переглядів 1,7 тис.3 роки тому
My walkthrough of the Hack The Box machine Remote. HTB: hackthebox.eu My Blog: vbscrub.com My Twitter: vbscrub
Hack The Box - ServMon
Переглядів 1,8 тис.4 роки тому
My walkthrough of the ServMon machine that was recently retired from HTB. Port forwarding explanation: ua-cam.com/video/JDUrT3IEzLI/v-deo.html HTB: hackthebox.eu My Website: vbscrub.com My Twitter: VbScrub 00:00 Intro 01:45 Port scan 03:12 Web server directory traversal exploit 07:32 FTP enum 09:31 SSH login 11:10 File system enum 13:20 NS Client files 15:54 NS Client web access 19:...
Hack The Box - Monteverde
Переглядів 1,6 тис.4 роки тому
My walkthrough of the HTB machine Monteverde. Azure AD DB decryption video: ua-cam.com/video/JEIR5oGCwdg/v-deo.html Powershell code and blog post: blog.xpnsec.com/azuread-connect-for-redteam/ My blog post and exe download: vbscrub.video.blog/2020/01/14/azure-ad-connect-database-exploit-priv-esc/ HTB: www.hackthebox.eu Me: vbscrub.com
Hack The Box - Nest | HTB Machine I Made Myself
Переглядів 2,5 тис.4 роки тому
My walkthrough of the HTB machine Nest, which was actually made by me when I first discovered HTB about a year ago. Plenty of things I'd do differently now, as you'll see. HTB: hackthebox.eu Me: vbscrub.com 00:00 Intro 00:55 Nmap scan 02:55 SMB enum (anonymous) 05:10 SMB enum as Tempuser 06:00 Accessing Secure$ share 07:37 Using VB project to decrypt password 11:37 c.smith password decrypted 12...
Hack The Box - Resolute
Переглядів 3,4 тис.4 роки тому
My guide to the Resolute machine on Hack The Box. NOTE: This was one of the first videos I recorded several months ago, so the quality might not be the same as more recent videos. Original blog post from Shay Ber explaining the root exploit: medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 My blog post covering some of the things I had to do to get the C ...
Kerberos Explained (In 3 Levels Of Detail)
Переглядів 54 тис.4 роки тому
My attempt at explaining how the Kerberos authentication protocol works. See below for links to further reading and things I mentioned in the video: My kerberos attack videos: ua-cam.com/play/PL3B8L-z5QU-Z0bWmjwgUSLGTzm1k_kVZo.html Kerberos spec: tools.ietf.org/html/rfc4120 MS-KILE: docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/b4af186e-b2ff-43f9-b18e-eedb366abf13 Windows Acquire...
Impacket GetUserSPNs & Kerberoasting Explained
Переглядів 27 тис.4 роки тому
Using the GetUserSPNs.py script from Impacket in combination with Hashcat to perform the "Kerberoasting" attack, to get service account passwords. For more kerberos attacks and explanations, check out this playlist of my other videos on this topic: ua-cam.com/play/PL3B8L-z5QU-Z0bWmjwgUSLGTzm1k_kVZo.html
Setting Up A Windows VM For HTB Machines
Переглядів 4,2 тис.4 роки тому
Showing everything I do to set up a new Windows VM for attacking HTB machines. Here's a list of all the tools I installed (I'm sure you're capable of using google to find download links for them) : Burpsuite Python 2.7 Impacket Netcat Softerra LDAP Browser MS Remote Admin Tools CJWDEV AD Permissions Reporter CJWDEV AD Info VbScrub PortTunnel VbScrub VbRev Notepad Visual Studio Code Visual Studi...
Hack The Box - Control
Переглядів 2,1 тис.4 роки тому
My walkthrough of the Control machine on HTB. Other videos mentioned in this one: Port Forwarding Explained: ua-cam.com/video/JDUrT3IEzLI/v-deo.html VbRev Reverse Shell GUI: ua-cam.com/video/XI0VbhMonKc/v-deo.html HTB: hackthebox.eu My Twitter: VbScrub My Blog: vbscrub.com
Making A Reverse Shell GUI
Переглядів 4,1 тис.4 роки тому
A quick demonstration of the reverse shell tool I've been working on recently. You can download the tool here: github.com/VbScrub/VbRev/releases/tag/v0.2 Also forgot to say thanks for 1K subscribers, so yeah - Thanks! My blog: vbscrub.com My twitter: VbScrub
Port Tunnelling/Forwarding Explained
Переглядів 6 тис.4 роки тому
Explaining port forwarding (aka port tunnelling) My blog: vbscrub.com My Twitter: VbScrub
Hack The Box - Sniper
Переглядів 3,2 тис.4 роки тому
My walkthrough of the Sniper machine on HTB. Port forwarding explained: ua-cam.com/video/JDUrT3IEzLI/v-deo.html HTB: hackthebox.eu My Blog: vbscrub.com My Twittier: vbscrub
Hack The Box - Forest
Переглядів 4,7 тис.4 роки тому
My walkthrough of the HTB machine "Forest". The other videos I mentioned you should watch to get a better understanding of this one are below: GetNPUsers.py & Kerberos Pre Auth: ua-cam.com/video/pZSyGRjHNO4/v-deo.html DC Sync Attacks: ua-cam.com/video/QfyZQDyeXjQ/v-deo.html Hack The Box: www.hackthebox.eu My Blog: vbscrub.com My Twitter: VbScrub
Kerberos Golden Ticket Attack Explained
Переглядів 42 тис.4 роки тому
Kerberos Golden Ticket Attack Explained
Getting Passwords When Kerberos Pre-Auth IS Enabled
Переглядів 10 тис.4 роки тому
Getting Passwords When Kerberos Pre-Auth IS Enabled
Active Directory Basics For CTF Players
Переглядів 30 тис.4 роки тому
Active Directory Basics For CTF Players
GetNPUsers & Kerberos Pre-Auth Explained
Переглядів 20 тис.4 роки тому
GetNPUsers & Kerberos Pre-Auth Explained
the best Kerberos explanation on the web
Thanks, I’m studying for the OSCP right now and watching this to confirm my understanding is correct.
Excellent overview of the vulnerability. Thanks for sharing!
Thank you so much for the video! Very well explained subscribed!! :>
ort forwarding or tunneling can be used by attackers to bypass network restrictions. Imagine an attacker, a target system, and a firewall that blocks incoming connections by default. The attacker needs to establish a reverse shell on the target, which listens on a specific port, say 9966. This listener forwards the data it receives to another port, say 5985. The attacker then directs all their traffic to port 5985 through the tunnel set up on port 9966, effectively bypassing the firewall's restrictions. Am I right?
Great video! Thank you so much for sharing.
Hey, is this project still maintained? Can you provide the .exe maybe ?
masterclass
Dude i already be on the O drive and can see all the files but how can i execute shell comands ?
One Quick Question Step 6: SQL server also read session key so does that mean SQL server has User J smith account password or NTLM has of J smit account's password
Legend
Are you still going to do a video covering AD permissions?
How about meterpreter > kiwi ? How can I force the popup of the commandline after I execute the command kiwi_cmd "misc::cmd" ?
This was useful thank you
Amazing video! Thank you!
Seeing most of this stuff from PS / Windows perspective whilst only knowing the linux distros and all the common tools really puts a different perspective on this. I had no clue that you could enumerate shares like this! I would be just smashing CME at this haha. Great videos, I hope you come back to making some more!
Thx
Damn, such a good video. Thanks!
Thanks for that amazing explanation. I was reading more about the attack and landed on passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule-and.html. According to the article, if the ticket is more thatn 20 mins old, the service will do a PAC validation and the DC will invalidate the ticket meaning we will not get access. Have you ever faced something like this in your labs?
Wish you'd come back I like watching your write-ups but what I really appreciate is you explaining modern and relevant attacks, few channels and peoples really explain attacks and exploits like you do. Anyways cheers I hope you're doing well and shooting for the stars.
This method of explanation is brilliant, starting simple so you get a chance to understand the principals first then expand on that. All the other videos I've seen just dive in the deep end and it's too confusing.
Great video. Can you share the code you used in the demo?
Best explanation ever! Thank you so much!
Awesome video. In the line of network adapters on your VM on VMware workstation is your network adapter NAT, Bridged what is the best way to protect the host when doing HTB labs ?
you are a legend
I don't like and subscribe often or leave comments but I thought this video surely needed a bump. You've explained things very well and thoroughly.
cheers
Thank you for your videos i really appreciate it, but also if you can for future videos show us how to see and detect them in the logs would be great
awesome for a reverse shell....
Thank you particularly the packet capture at the end! Can you explain the use of the ( kvno ); I see it is 2 for the as-rep ticket enc-part and 4 for as-rep enc-part then later on is 6 for the tgs-rep ticket enc-part?
if i set permission for that user then when i impacket_psexec i cant login to that user
Good
Dude thank you so much. I spent hours trying to understand this process. I felt like I had almost all the parts except a couple steps weren't clicking for me. You made those click. Cheers!
In 30:22 , TGS-REP part. Isn't the session key sent by TGS suppose to be encrypted with the session key that was previously decrypted with the user password (AS-REP)? Instead of encrypting it with user password agn.
No doubt the most compact and helpful video on the whole internet
May I ask one question that I followed the steps and can see admin session using klist, But when I use net use to mount AD's C drive, the username/password is still prompt. Where can I check?
Hey, can you tell me how did you disable everything on the system in order for mimikatz to run, also when I want to run mimikatz.exe it does not let me even though i installed it? can you help me?
Thank you for the Clear Explanation 🙏🙏, one of the best video on Kerberos authentication and practical demonstration through pcap
26:30 AS-REQ is encrypted with the user's password not krbtgt's.. right?
i tested this method but i couldn't access to plain text with hashcat has it another way to access to silver ticket without hash crack?
I see the ticket when I run klist but net use does not work. Tried pushd as well. net use output is "The network name cannot be found." pushd output is: The specified network password is not correct. Same error when I try to dir \\DC\C$ Windows server version is 2019. Firewall is off.
You forgot to mention to enable "advanced features"
Dood
👍👍👍👍👍
@VbScrub - this is the single BEST in-depth explanation and deep dive into Kerberos I've ever seen, and I've read (and watched) **all of them**. I've read the MIT documentation, the Windows & Microsoft documentation, many other Blogs and Guides and videos, and you have single-handedly outclassed them all. Kerberos is an incredibly complex and confusing topic (largely due to the authors of the protocol) that you have broken down and explained step by step of the 5 W's (Where, When, Why, hoW and Who) of modern Kerberos. Thank you so much! Subscribed!
thanks for the kind words!
Absolutely FANTASTIC Kerberos explanation, diagrams, AND demo! Kudos to you! I've already watched it twice. MM
cheers, glad to hear it helped!
why you don't use impacket-getUserSPN? this it any different condition?
Still waiting for your new video
The best!!!!!!!!!!!!!!!!!!!
Is it possible to not worry about the expiration date of the evaluation or do I need to buy one? As I am making a VM that will be saved as an .ova file for local use.
Absolute best description covering this matter. very well done