Today, we delved deep into some advanced security topics, focusing on domain attacks like domain hijacking, typoquatting, and techniques such as Pass the Hash and Pass the Ticket.
We kicked off the day with a tough challenge learning how to attack Kerberos, which is used to authenticate users on a network.
Here’s what we covered:
- Enumeration: This is the process of discovering information about the system, like finding out which users or services are available for exploitation.
- Harvesting: In this context, harvesting refers to gathering sensitive data, like Kerberos tickets, which could be used to gain unauthorized access.
- Brute-forcing tickets: This involves attempting to crack Kerberos tickets (which are used to authenticate users) by trying many passwords until one works.
- Kerberoasting: This attack targets service accounts by requesting service tickets for these accounts and then trying to crack the tickets offline.
- AS-REP Roasting: In this attack, we target accounts that don’t require pre-authentication in Kerberos. We request an AS-REP (authentication response) from the server and then attempt to crack it offline.
I then had to understand what a Golden Ticket and a Silver Ticket are:
- A Golden Ticket is a forged Kerberos ticket granting access to any service within a domain, giving an attacker full control.
- A Silver Ticket is a forged service ticket that allows access to a specific service within a domain, but not full control over everything.
I also learned how to use Mimikatz to steal a TGT (Ticket Granting Ticket). This works by exploiting vulnerabilities in the system to extract a valid TGT from memory. Once you have the TGT, you can request additional service tickets, allowing you to access resources in the network.
In the afternoon, we shifted gears and got hands-on with Fuff (Fuzz Faster U Fool). It’s a tool used for web enumeration, fuzzing, and directory brute-forcing. With Fuff, I learned how to use wordlists to find hidden directories and pages on websites. I also explored filters like:
-fc 403: This filter helps us avoid pages that return a “Forbidden” error.-mc 200: This filter helps us focus on pages that return a “Success” status (HTTP 200).
To be honest, today was one of those intense days where a lot of new information came at me all at once. But it was exciting, and I definitely feel like I made progress. Last week, I tackled Hydra in a lab, so at least I had some experience with brute-forcing before diving into Kerberos.
All in all, today was challenging but in a good way. Last week was definitely worse in the headache scale (hate you Splunk!).
