ort forwarding or tunneling can be used by attackers to bypass network restrictions. Imagine an attacker, a target system, and a firewall that blocks incoming connections by default. The attacker needs to establish a reverse shell on the target, which listens on a specific port, say 9966. This listener forwards the data it receives to another port, say 5985. The attacker then directs all their traffic to port 5985 through the tunnel set up on port 9966, effectively bypassing the firewall's restrictions. Am I right?
One Quick Question Step 6: SQL server also read session key so does that mean SQL server has User J smith account password or NTLM has of J smit account's password
Seeing most of this stuff from PS / Windows perspective whilst only knowing the linux distros and all the common tools really puts a different perspective on this. I had no clue that you could enumerate shares like this! I would be just smashing CME at this haha. Great videos, I hope you come back to making some more!
Thanks for that amazing explanation. I was reading more about the attack and landed on passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule-and.html. According to the article, if the ticket is more thatn 20 mins old, the service will do a PAC validation and the DC will invalidate the ticket meaning we will not get access. Have you ever faced something like this in your labs?
Wish you'd come back I like watching your write-ups but what I really appreciate is you explaining modern and relevant attacks, few channels and peoples really explain attacks and exploits like you do. Anyways cheers I hope you're doing well and shooting for the stars.
This method of explanation is brilliant, starting simple so you get a chance to understand the principals first then expand on that. All the other videos I've seen just dive in the deep end and it's too confusing.
Awesome video. In the line of network adapters on your VM on VMware workstation is your network adapter NAT, Bridged what is the best way to protect the host when doing HTB labs ?
Thank you particularly the packet capture at the end! Can you explain the use of the ( kvno ); I see it is 2 for the as-rep ticket enc-part and 4 for as-rep enc-part then later on is 6 for the tgs-rep ticket enc-part?
Dude thank you so much. I spent hours trying to understand this process. I felt like I had almost all the parts except a couple steps weren't clicking for me. You made those click. Cheers!
In 30:22 , TGS-REP part. Isn't the session key sent by TGS suppose to be encrypted with the session key that was previously decrypted with the user password (AS-REP)? Instead of encrypting it with user password agn.
May I ask one question that I followed the steps and can see admin session using klist, But when I use net use to mount AD's C drive, the username/password is still prompt. Where can I check?
Hey, can you tell me how did you disable everything on the system in order for mimikatz to run, also when I want to run mimikatz.exe it does not let me even though i installed it? can you help me?
I see the ticket when I run klist but net use does not work. Tried pushd as well. net use output is "The network name cannot be found." pushd output is: The specified network password is not correct. Same error when I try to dir \\DC\C$ Windows server version is 2019. Firewall is off.
@VbScrub - this is the single BEST in-depth explanation and deep dive into Kerberos I've ever seen, and I've read (and watched) **all of them**. I've read the MIT documentation, the Windows & Microsoft documentation, many other Blogs and Guides and videos, and you have single-handedly outclassed them all. Kerberos is an incredibly complex and confusing topic (largely due to the authors of the protocol) that you have broken down and explained step by step of the 5 W's (Where, When, Why, hoW and Who) of modern Kerberos. Thank you so much! Subscribed!
Is it possible to not worry about the expiration date of the evaluation or do I need to buy one? As I am making a VM that will be saved as an .ova file for local use.
