https://mikehorn-git.github.io/tags/kerberoast/ Recent content in Kerberoast on Mike.Horn Hugo en Sun, 22 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/campfire-1/ Sun, 22 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/campfire-1/ <h1 id="q1-analyzing-domain-controller-security-logs">Q1: Analyzing Domain Controller Security Logs</h1> <p>Can you confirm the <strong>date and time</strong> when the <em>Kerberoasting</em> activity occurred?</p> <p>Open <strong>Event Viewer</strong> on the Windows VM and search for <strong>Event ID <a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769">4769</a></strong>.</p> <blockquote> <p>🕒 Remember to convert your local time to <strong>UTC</strong>.</p> </blockquote> <p><img alt="Kerberoasting Event" loading="lazy" src="../../writeups/htb/sherlocks/campfire-1/2024-09-21T16_52_20,152679715+02_00.png"></p> <hr> <h1 id="q2-targeted-service-name">Q2: Targeted Service Name</h1> <p>What is the <strong>Service Name</strong> that was targeted?</p> <p>Check the &ldquo;Service Information&rdquo; section of the same event:</p> <p><img alt="Service Name" loading="lazy" src="../../writeups/htb/sherlocks/campfire-1/2024-09-21T16_58_06,480108177+02_00.png"></p> <hr> <h1 id="q3-workstation-identification">Q3: Workstation Identification</h1> <p>Identify the <strong>Workstation IP Address</strong> from which the activity originated.</p> https://mikehorn-git.github.io/writeups/htb/sherlocks/campfire-2/ Sun, 22 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/campfire-2/ <h1 id="q1-when-did-the-as-rep-roasting-attack-occur-and-when-did-the-attacker-request-the-kerberos-ticket-for-the-vulnerable-user">Q1: When did the <em>AS-REP Roasting</em> attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?</h1> <p>Open <strong>Event Viewer</strong> on the Windows VM and search for <strong>Event ID <a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768">4768</a></strong>.</p> <p>Look for anomalies in the logs — specifically events where:</p> <blockquote> <p><strong>Pre-Authentication Type:</strong> <code>0</code></p> </blockquote> <p>This indicates that the account does not require Kerberos pre-authentication, making it vulnerable to <em>AS-REP Roasting</em>.</p> <p><img alt="ASREP Event" loading="lazy" src="../../writeups/htb/sherlocks/campfire-2/2024-09-21T18:18:55,910252335+02:00.png"></p> <blockquote> <p>🕒 Remember to convert the timestamp to <strong>UTC</strong> when documenting your findings.</p>