1 00:00:00,000 --> 00:00:04,280 Ever imagined sneaking into like a high security event with a fake ticket? 2 00:00:05,160 --> 00:00:05,880 Oh, yeah. 3 00:00:05,880 --> 00:00:07,400 That's kind of what we're talking about today. 4 00:00:07,400 --> 00:00:08,040 Oh, wow. 5 00:00:08,040 --> 00:00:10,560 We're going deep into Kerberos exploitation attacks. 6 00:00:10,720 --> 00:00:12,760 Yeah, that's a pretty good analogy, actually. 7 00:00:12,760 --> 00:00:17,160 Because Kerberos is basically like the gatekeeper to all the valuable resources on a network. 8 00:00:17,160 --> 00:00:19,480 So it makes sure that only the right people are getting in. 9 00:00:19,480 --> 00:00:21,360 Yeah, like a digital bouncer, you could say. 10 00:00:21,400 --> 00:00:22,200 OK, got it. 11 00:00:22,800 --> 00:00:25,080 But why are we so worried about people exploiting it? 12 00:00:25,320 --> 00:00:27,280 Well, if you can trick Kerberos, 13 00:00:27,280 --> 00:00:30,640 then you can get access to all sorts of sensitive data. 14 00:00:30,640 --> 00:00:34,520 You can maybe control critical systems, cause all kinds of havoc. 15 00:00:34,520 --> 00:00:37,920 So naturally, a lot of attackers are trying to find ways to get past it. 16 00:00:38,080 --> 00:00:38,960 That's scary. 17 00:00:39,600 --> 00:00:44,640 And I heard that our guide for this deep dive is the work of Krishna Kumar Mahadev, 18 00:00:45,360 --> 00:00:46,600 also known as MKK. 19 00:00:46,800 --> 00:00:47,320 That's right. 20 00:00:47,320 --> 00:00:50,600 And he's a cybersecurity legend with over 28 years of experience. 21 00:00:50,600 --> 00:00:52,000 MKK, yeah. 22 00:00:52,320 --> 00:00:55,200 He's been in the trenches of cybersecurity for decades. 23 00:00:55,200 --> 00:00:59,000 And this document he wrote on Kerberos attacks is like a gold mine. 24 00:00:59,200 --> 00:00:59,680 Wow. 25 00:00:59,680 --> 00:01:00,840 OK, let's get into it. 26 00:01:01,040 --> 00:01:04,800 So first, can you just give us a little crash course on how Kerberos actually works? 27 00:01:04,800 --> 00:01:06,000 I'm a little fuzzy on the details. 28 00:01:06,000 --> 00:01:06,400 Sure. 29 00:01:06,400 --> 00:01:12,120 So at its core, Kerberos is basically a system for verifying identities 30 00:01:12,600 --> 00:01:16,400 and then granting access to different resources on a network. 31 00:01:16,400 --> 00:01:18,480 So you can think of it as like a three-way handshake. 32 00:01:18,480 --> 00:01:19,400 A three-way handshake. 33 00:01:19,400 --> 00:01:22,840 Between the user, the resource they want access. 34 00:01:22,840 --> 00:01:23,120 Yeah. 35 00:01:23,120 --> 00:01:26,920 And then a trusted third party that's called the Key Distribution Center, 36 00:01:27,440 --> 00:01:28,680 or KDC for short. 37 00:01:28,680 --> 00:01:31,240 It sounds more like a digital dance than a security system. 38 00:01:31,240 --> 00:01:33,840 Yeah, it might sound kind of complicated at first, 39 00:01:34,160 --> 00:01:36,280 but it's actually pretty elegant once you break it down. 40 00:01:36,280 --> 00:01:40,880 So let's say you want to access a file server on your company's network. 41 00:01:41,240 --> 00:01:43,760 You send a request to the KDC and you're basically saying, 42 00:01:43,760 --> 00:01:44,360 hey, it's me. 43 00:01:44,360 --> 00:01:46,080 I want to access this file server. 44 00:01:46,080 --> 00:01:48,160 So you're proving your identity to the KDC. 45 00:01:48,160 --> 00:01:48,480 Right. 46 00:01:48,480 --> 00:01:50,320 And here's where the ticket part comes in. 47 00:01:50,320 --> 00:01:52,320 The KDC will verify your identity. 48 00:01:52,320 --> 00:01:56,520 And then it issues you what's called a ticket granting ticket or a TGT. 49 00:01:56,520 --> 00:01:58,760 Think of it like your temporary ID card. 50 00:01:58,760 --> 00:02:01,160 It doesn't give you access to the file server directly, 51 00:02:01,160 --> 00:02:03,360 but it proves that you're a legitimate user. 52 00:02:03,360 --> 00:02:04,920 Oh, so it's kind of like getting pre-approved. 53 00:02:04,920 --> 00:02:05,320 Exactly. 54 00:02:05,320 --> 00:02:09,720 And then with your TGT, you can request access to the specific resource, 55 00:02:09,720 --> 00:02:11,280 in this case, the file server. 56 00:02:11,280 --> 00:02:14,520 You present your TGT to the server and the server, 57 00:02:14,520 --> 00:02:17,920 because it trusts the KDC, will then grant you access. 58 00:02:17,920 --> 00:02:20,880 So it's kind of like a backstage pass that lets you request access 59 00:02:20,880 --> 00:02:22,440 to different things. 60 00:02:22,440 --> 00:02:23,920 Yeah, that's a great way to put it. 61 00:02:23,920 --> 00:02:25,560 And what's really cool about this system 62 00:02:25,560 --> 00:02:28,880 is that your actual password never travels across the network. 63 00:02:28,880 --> 00:02:32,480 Everything is encrypted and authenticated using special keys. 64 00:02:32,480 --> 00:02:37,720 So it makes it way more secure than traditional password-based authentication. 65 00:02:37,720 --> 00:02:39,080 OK, that's starting to make sense. 66 00:02:39,080 --> 00:02:40,680 I can see why it's so widely used, 67 00:02:40,680 --> 00:02:42,920 especially in these bigger enterprise environments. 68 00:02:42,920 --> 00:02:46,480 Which, speaking of enterprise, I know Kerberos has used a lot 69 00:02:46,480 --> 00:02:48,480 in Microsoft Active Directory, right? 70 00:02:48,480 --> 00:02:49,280 Absolutely. 71 00:02:49,280 --> 00:02:53,280 Active Directory is like a core component of a lot of corporate networks. 72 00:02:53,280 --> 00:02:57,280 And it really relies on Kerberos for authentication and authorization. 73 00:02:57,280 --> 00:03:00,280 So if you've ever worked in like a corporate environment, 74 00:03:00,280 --> 00:03:04,280 you've probably interacted with Kerberos without even realizing it. 75 00:03:04,280 --> 00:03:05,280 Wow, that's fascinating. 76 00:03:05,280 --> 00:03:07,280 OK, so now let's get back to the dark side. 77 00:03:07,280 --> 00:03:10,280 Those Kerberos exploitation attacks. 78 00:03:10,280 --> 00:03:15,280 Knowing now how Kerberos works, how do these attackers actually bypass it? 79 00:03:15,280 --> 00:03:18,280 Well, they've come up with a whole bunch of different techniques. 80 00:03:18,280 --> 00:03:22,280 And each of them targets different vulnerabilities within the Kerberos system. 81 00:03:22,280 --> 00:03:26,280 One common way is just to try to exploit weaknesses in password security. 82 00:03:26,280 --> 00:03:30,280 Like using brute force attacks to crack user credentials. 83 00:03:30,280 --> 00:03:31,280 Ah, good old brute force. 84 00:03:31,280 --> 00:03:34,280 So they just keep guessing passwords until they find one that works. 85 00:03:34,280 --> 00:03:35,280 Exactly. 86 00:03:35,280 --> 00:03:38,280 There are even tools like Kerroot.py and Rubyus 87 00:03:38,280 --> 00:03:41,280 that are made specifically to target Kerberos SDE systems 88 00:03:41,280 --> 00:03:43,280 and they just systematically guess passwords until they get in. 89 00:03:43,280 --> 00:03:44,280 Oh, wow. 90 00:03:44,280 --> 00:03:47,280 So strong and unique passwords are super important. 91 00:03:47,280 --> 00:03:48,280 What else do they do? 92 00:03:48,280 --> 00:03:52,280 Another thing they do is something called overpass the hash or PTH for short. 93 00:03:52,280 --> 00:03:56,280 This one is interesting because it actually targets a common security measure, 94 00:03:56,280 --> 00:03:58,280 which is disabling NTLM. 95 00:03:58,280 --> 00:04:00,280 NTLM, what was that again? 96 00:04:00,280 --> 00:04:03,280 NTLM stands for NT LAN manager. 97 00:04:03,280 --> 00:04:05,280 It's an older authentication protocol. 98 00:04:05,280 --> 00:04:08,280 And it's known to be vulnerable to certain attacks. 99 00:04:08,280 --> 00:04:13,280 So a lot of organizations disable it and they switch to more secure protocols like Kerberos. 100 00:04:13,280 --> 00:04:15,280 OK, that makes sense. 101 00:04:15,280 --> 00:04:17,280 So how does overpass the hash work with that? 102 00:04:17,280 --> 00:04:22,280 Well, even when NTLM is disabled, systems often still create and store 103 00:04:22,280 --> 00:04:26,280 what's called an NTLM hash of the user's password. 104 00:04:26,280 --> 00:04:29,280 And attackers can take advantage of this by getting a hold of that hash 105 00:04:29,280 --> 00:04:33,280 and then they can use it to request a TGT from the QCC. 106 00:04:33,280 --> 00:04:35,280 Wait, so they're not cracking the password? 107 00:04:35,280 --> 00:04:36,280 Nope. 108 00:04:36,280 --> 00:04:37,280 They're just using the hash as a substitute? 109 00:04:37,280 --> 00:04:38,280 Exactly. 110 00:04:38,280 --> 00:04:41,280 And because the KDC doesn't necessarily know that NTLM has been disabled, 111 00:04:41,280 --> 00:04:44,280 it might just grant the TGT based on the hash alone. 112 00:04:44,280 --> 00:04:47,280 So it's like they're sneaking in through a back door even though the front door is locked? 113 00:04:47,280 --> 00:04:48,280 Perfect analogy. 114 00:04:48,280 --> 00:04:50,280 And that's what makes PTH so dangerous. 115 00:04:50,280 --> 00:04:53,280 It bypasses a security measure that a lot of organizations rely on. 116 00:04:53,280 --> 00:04:55,280 Wow, that's sneaky. 117 00:04:55,280 --> 00:04:56,280 What other tricks do they have? 118 00:04:56,280 --> 00:04:59,280 Another one is called pass the ticket or PTT. 119 00:04:59,280 --> 00:05:04,280 And this involves actually stealing legitimate tickets from memory 120 00:05:04,280 --> 00:05:08,280 and then reusing those tickets to impersonate a legitimate user. 121 00:05:08,280 --> 00:05:11,280 So it's literally like snatching someone's concert ticket and sneaking into the show? 122 00:05:11,280 --> 00:05:12,280 Exactly. 123 00:05:12,280 --> 00:05:17,280 But instead of missing a concert, the consequences here could be much worse. 124 00:05:17,280 --> 00:05:20,280 Imagine an attacker gets access to like your CEO's account. 125 00:05:20,280 --> 00:05:21,280 Oh my gosh. 126 00:05:21,280 --> 00:05:23,280 Okay, so that one's pretty straightforward. 127 00:05:23,280 --> 00:05:26,280 Now we also have silver ticket and golden ticket attacks. 128 00:05:26,280 --> 00:05:29,280 Are these some kind of VIP access? 129 00:05:29,280 --> 00:05:31,280 You could say that. 130 00:05:31,280 --> 00:05:33,280 Let's start with the silver ticket. 131 00:05:33,280 --> 00:05:37,280 You can think of it like a forged ticket to access a specific service on the network. 132 00:05:37,280 --> 00:05:41,280 Attackers create these by using a compromised service account's hash. 133 00:05:41,280 --> 00:05:44,280 So it's more targeted but still really powerful. 134 00:05:44,280 --> 00:05:46,280 What kind of services are we talking about here? 135 00:05:46,280 --> 00:05:51,280 It could be anything from file servers to email servers, even databases. 136 00:05:51,280 --> 00:05:53,280 It really just depends on the service that's being targeted 137 00:05:53,280 --> 00:05:56,280 and the level of access that the compromised account has. 138 00:05:56,280 --> 00:05:59,280 Yeah, and the impact could be huge if it's a really important service. 139 00:05:59,280 --> 00:06:01,280 What about the golden ticket, the holy grail? 140 00:06:01,280 --> 00:06:02,280 The golden ticket. 141 00:06:02,280 --> 00:06:05,280 That grants like unrestricted access to the entire network. 142 00:06:05,280 --> 00:06:08,280 It's like having the master key to every door. 143 00:06:08,280 --> 00:06:12,280 Attackers can create these using the KRBTGT account's hash. 144 00:06:12,280 --> 00:06:15,280 KRBTGT, what is that? Some Lord of the Rings thing? 145 00:06:15,280 --> 00:06:19,280 It might sound like it, but it's actually a real account. 146 00:06:19,280 --> 00:06:21,280 A very important account in the Kerberos world. 147 00:06:21,280 --> 00:06:25,280 The KRBTGT account is basically like the master key holder. 148 00:06:25,280 --> 00:06:28,280 It's the ultimate authority for issuing all the tickets. 149 00:06:28,280 --> 00:06:30,280 Wow, so if they have a golden ticket, they can access anything. 150 00:06:30,280 --> 00:06:31,280 Pretty much. 151 00:06:31,280 --> 00:06:32,280 How is that even possible? 152 00:06:32,280 --> 00:06:34,280 Well, it comes down to that hash. 153 00:06:34,280 --> 00:06:37,280 If an attacker can compromise the KRBTGT account 154 00:06:37,280 --> 00:06:41,280 and they get its hash, they can forge any ticket they want. 155 00:06:41,280 --> 00:06:44,280 And because the KRBTGT password doesn't change very often, 156 00:06:44,280 --> 00:06:47,280 this access can last for a really long time. 157 00:06:47,280 --> 00:06:49,280 That's like a nightmare for a network admin. 158 00:06:49,280 --> 00:06:50,280 Yeah, it is. 159 00:06:50,280 --> 00:06:52,280 Like a ghost in the system that can get into anything. 160 00:06:52,280 --> 00:06:56,280 And what's even worse is these ticket-based attacks are really hard to detect. 161 00:06:56,280 --> 00:06:59,280 Because they're using tickets that look totally legitimate. 162 00:06:59,280 --> 00:07:03,280 So it's really hard for security systems to figure out that they're forged. 163 00:07:03,280 --> 00:07:09,280 So we've got brute force overpass the hash pass, the take the silver ticket, 164 00:07:09,280 --> 00:07:11,280 and the dreaded golden ticket. 165 00:07:11,280 --> 00:07:13,280 That's a lot of tricks. 166 00:07:13,280 --> 00:07:14,280 What else? 167 00:07:14,280 --> 00:07:16,280 There are a couple more that we haven't talked about yet. 168 00:07:16,280 --> 00:07:19,280 One is called ASREP Roasting. 169 00:07:19,280 --> 00:07:23,280 And it goes after the lack of something called pre-authentication. 170 00:07:23,280 --> 00:07:25,280 That happens in some Kerberos setups. 171 00:07:25,280 --> 00:07:28,280 Okay, before we go any further, I want to make sure that we're all on the same page here. 172 00:07:28,280 --> 00:07:30,280 What is pre-authentication? 173 00:07:30,280 --> 00:07:35,280 You can think of pre-authentication as like an extra layer of security, like at the front door. 174 00:07:35,280 --> 00:07:39,280 It requires users to prove who they are before they even get a ticket from the KDC. 175 00:07:39,280 --> 00:07:45,280 It's like a challenge response system where the user has to give some specific information that only they should know. 176 00:07:45,280 --> 00:07:49,280 So without pre-authentication, it's easier for those attackers to impersonate users. 177 00:07:49,280 --> 00:07:50,280 Exactly. 178 00:07:50,280 --> 00:07:53,280 They can send authentication requests to the KDC. 179 00:07:53,280 --> 00:07:59,280 And if pre-authentication isn't turned on, they can use the response they get back to try and crack the user's password offline. 180 00:07:59,280 --> 00:08:01,280 That's like leaving the key under the door map. 181 00:08:01,280 --> 00:08:02,280 Yeah, pretty much. 182 00:08:02,280 --> 00:08:09,280 Enabling pre-authentication is a really simple but effective way to make it a lot harder for attackers to exploit that vulnerability. 183 00:08:09,280 --> 00:08:11,280 Right. Always lock your doors. 184 00:08:11,280 --> 00:08:12,280 Yeah. 185 00:08:12,280 --> 00:08:14,280 Okay, what about that last technique you mentioned? 186 00:08:14,280 --> 00:08:16,280 The last one is called Kerberoasting. 187 00:08:16,280 --> 00:08:21,280 And it targets service accounts, which usually have elevated privileges on the network. 188 00:08:21,280 --> 00:08:24,280 Service accounts, those are the ones that are used by applications and services, right? 189 00:08:24,280 --> 00:08:26,280 Right. Not actual human users. 190 00:08:26,280 --> 00:08:27,280 Okay. 191 00:08:27,280 --> 00:08:31,280 These accounts are used to manage different tasks and services on the network. 192 00:08:31,280 --> 00:08:35,280 And they typically have more permissions than a regular user account. 193 00:08:35,280 --> 00:08:42,280 Kerberoasting involves gathering encrypted TGS tickets, those are the ones that we talked about earlier, 194 00:08:42,280 --> 00:08:46,280 that give access to specific services, and then they try to crack them offline. 195 00:08:46,280 --> 00:08:47,280 So it's a slower attack? 196 00:08:47,280 --> 00:08:48,280 Yeah. 197 00:08:48,280 --> 00:08:53,280 But it could be really rewarding for attackers if they can crack those service account credentials. 198 00:08:53,280 --> 00:08:54,280 Exactly. 199 00:08:54,280 --> 00:08:58,280 And it's interesting because each of these attacks targets a different part of the Kerberos system. 200 00:08:58,280 --> 00:09:05,280 Some focus on taking advantage of weak passwords, while others go after vulnerabilities in the whole ticket granting process. 201 00:09:05,280 --> 00:09:08,280 So they're basically looking for any weak point. 202 00:09:08,280 --> 00:09:09,280 That's a good way to put it. 203 00:09:09,280 --> 00:09:14,280 That's why it's so important to have a multi-layered security approach when it comes to Kerberos. 204 00:09:14,280 --> 00:09:15,280 Absolutely. 205 00:09:15,280 --> 00:09:23,280 Now, thinking about your own work environment, what are some of the key things we've talked about that stand out to you as either really relevant or concerning? 206 00:09:23,280 --> 00:09:25,280 That's a really good question. 207 00:09:25,280 --> 00:09:34,280 It's easy to get kind of lost in all the technical details, but it's important to stop and think about how these vulnerabilities could be exploited in a real scenario, 208 00:09:34,280 --> 00:09:36,280 especially in your own environment. 209 00:09:36,280 --> 00:09:37,280 Exactly. 210 00:09:37,280 --> 00:09:43,280 So now let's switch gears a little bit and talk about what we can actually do about these threats. 211 00:09:43,280 --> 00:09:47,280 Knowing about the enemy is one thing, but defending ourselves is a whole other story. 212 00:09:47,280 --> 00:09:48,280 You're absolutely right. 213 00:09:48,280 --> 00:09:51,280 Knowledge is power, but action is key. 214 00:09:51,280 --> 00:09:56,280 And luckily, there are a lot of really effective ways to reduce these Kerberos risks, 215 00:09:56,280 --> 00:09:59,280 like we were saying before, strong password security is like the foundation. 216 00:09:59,280 --> 00:10:04,280 Right. Brute forcing those passwords seems to be one of the first things the attackers try. 217 00:10:04,280 --> 00:10:09,280 So what are some of the best practices for making those passwords really strong? 218 00:10:09,280 --> 00:10:10,280 It starts with the basics. 219 00:10:10,280 --> 00:10:16,280 Enforcing strong password policies, making sure that passwords are long enough that they're complex, 220 00:10:16,280 --> 00:10:20,280 that they include upper and lower case letters, numbers, and special characters. 221 00:10:20,280 --> 00:10:22,280 Okay, so that's the usual advice. 222 00:10:22,280 --> 00:10:27,280 Yeah. But beyond that, you need to make sure people are changing their passwords regularly. 223 00:10:27,280 --> 00:10:31,280 And don't underestimate multi-factor authentication. 224 00:10:31,280 --> 00:10:36,280 Adding that extra layer of verification makes it way harder for attackers to compromise accounts, 225 00:10:36,280 --> 00:10:39,280 even if they do manage to get their hands on a password. 226 00:10:39,280 --> 00:10:41,280 Right. It's like a double lock on your door. 227 00:10:41,280 --> 00:10:43,280 But what about those ticket-based attacks? 228 00:10:43,280 --> 00:10:48,280 Is there any way to actually stop someone from stealing or sorting those Kerberos tickets? 229 00:10:48,280 --> 00:10:50,280 They seem like they're pretty hard to catch. 230 00:10:50,280 --> 00:10:53,280 There are definitely ways to make it a lot harder for them. 231 00:10:53,280 --> 00:10:55,280 One thing is to limit the ticket lifetime. 232 00:10:55,280 --> 00:10:59,280 The shorter the lifespan of a ticket, the less useful it is to an attacker. 233 00:10:59,280 --> 00:11:02,280 Oh, that makes sense. It's like an expiration date on access. 234 00:11:02,280 --> 00:11:07,280 Exactly. If someone manages to steal a ticket, it's only going to be good for a short period of time. 235 00:11:07,280 --> 00:11:11,280 Another thing you can do is restrict the privileges of those service accounts. 236 00:11:11,280 --> 00:11:15,280 Remember how we talked about silver tickets and golden tickets? 237 00:11:15,280 --> 00:11:18,280 Those usually rely on a compromised service account. 238 00:11:18,280 --> 00:11:20,280 Right. The ones that have more access than regular users. 239 00:11:20,280 --> 00:11:28,280 Exactly. So by limiting what those accounts can actually do and what resources they can access, 240 00:11:28,280 --> 00:11:33,280 you're basically reducing the potential damage if an attacker does manage to compromise them. 241 00:11:33,280 --> 00:11:35,280 It's like containing the blast radius. 242 00:11:35,280 --> 00:11:36,280 That's a great way to think about it. 243 00:11:36,280 --> 00:11:40,280 And of course, keeping all your systems patched and up-to-date is really important. 244 00:11:40,280 --> 00:11:43,280 A lot of these attacks take advantage of known vulnerability. 245 00:11:43,280 --> 00:11:46,280 Patching those holes is like locking your windows and doors. 246 00:11:46,280 --> 00:11:50,280 Right. So it's a combination of good security hygiene, proactive measures, 247 00:11:50,280 --> 00:11:52,280 and making the system itself stronger. 248 00:11:52,280 --> 00:11:55,280 Exactly. And don't forget about monitoring. 249 00:11:55,280 --> 00:12:01,280 You need to have systems in place to be able to detect any suspicious activity related to Kerberos. 250 00:12:01,280 --> 00:12:07,280 Unusual longing attempts, failed authentications, ticket requests that are coming from weird places. 251 00:12:07,280 --> 00:12:10,280 Those are all red flags that you need to look into. 252 00:12:10,280 --> 00:12:15,280 It's not enough to just set up defenses. You have to actively watch what's going on 253 00:12:15,280 --> 00:12:17,280 and make sure everything is working properly. 254 00:12:17,280 --> 00:12:20,280 It's like having security cameras and guards patrolling the perimeter. 255 00:12:20,280 --> 00:12:26,280 That's a great analogy. You need to be vigilant and proactive, always looking out for potential threats. 256 00:12:26,280 --> 00:12:33,280 Now, I'm curious. From what you've seen, what's the biggest mistake that organizations make when it comes to Kerberos security? 257 00:12:33,280 --> 00:12:35,280 Is there a common blind spot? 258 00:12:35,280 --> 00:12:40,280 Today, the most common mistake is underestimating the importance of configuration and maintenance. 259 00:12:40,280 --> 00:12:47,280 Kerberos can be pretty complicated, and it's easy to misconfigure things or to let security practices kind of slip over time, 260 00:12:47,280 --> 00:12:51,280 but those small oversights can be exactly what attackers are hoping for. 261 00:12:51,280 --> 00:12:53,280 Right. So it's not something you can just set up and forget about. 262 00:12:53,280 --> 00:12:54,280 Nope. 263 00:12:54,280 --> 00:12:56,280 You have to constantly stay on top of it and follow the best practices. 264 00:12:56,280 --> 00:12:59,280 Security is a journey, not a destination. 265 00:12:59,280 --> 00:13:04,280 You always have to be adapting and evolving your defenses to stay ahead of the bad guys. 266 00:13:04,280 --> 00:13:10,280 Well said. Speaking of journeys, MKK himself has been on quite a journey in the cybersecurity world. 267 00:13:10,280 --> 00:13:12,280 I'd love to hear more about him and his work. 268 00:13:12,280 --> 00:13:15,280 Can you tell us a little bit about his background and his expertise? 269 00:13:15,280 --> 00:13:23,280 Sure. Krishna Kumar Mahadevan, or MKK, as he's known in the community, is really a legend in the cybersecurity world. 270 00:13:23,280 --> 00:13:25,280 He has over 28 years of experience. 271 00:13:25,280 --> 00:13:31,280 He's consulted for so many organizations, helping them figure out cloud transformation and security. 272 00:13:31,280 --> 00:13:36,280 He even wrote a whole book about Kerberos exploitation, which is actually where we're getting all this great information from. 273 00:13:36,280 --> 00:13:39,280 Wow, that's amazing. He clearly knows what he's talking about. 274 00:13:39,280 --> 00:13:44,280 And I understand he's a big advocate for sharing knowledge and helping other people learn about cybersecurity. 275 00:13:44,280 --> 00:13:50,280 Absolutely. He really believes that the more people understand these threats, the better we'll all be at protecting ourselves. 276 00:13:50,280 --> 00:13:52,280 And we definitely support that mission. 277 00:13:52,280 --> 00:13:59,280 So for any of our listeners who want to learn more about Kerberos attacks and how to protect themselves, what resources would you recommend? 278 00:13:59,280 --> 00:14:05,280 Well, MKK's book is definitely a must read for anyone who wants to really dive deep into Kerberos security. 279 00:14:05,280 --> 00:14:13,280 He also has a fantastic website, mkkpro.com, where he shares tons of information on all sorts of cybersecurity topics. 280 00:14:13,280 --> 00:14:20,280 And don't forget MITREATT and CK. It's a knowledge base of all these different adversary tactics and techniques. 281 00:14:20,280 --> 00:14:23,280 And they have a whole section on Kerberos exploitation. 282 00:14:23,280 --> 00:14:27,280 It's a great way to see real world examples of how these attacks are actually being used. 283 00:14:27,280 --> 00:14:34,280 That's right. MITOE, ATT and CK is a fantastic resource for understanding the tactics and techniques that real attackers are using. 284 00:14:34,280 --> 00:14:39,280 It can really help you understand the connection between the technical details and the impact of these attacks. 285 00:14:39,280 --> 00:14:43,280 Awesome. The more you know, the better prepared you'll be to defend your own systems. 286 00:14:43,280 --> 00:14:47,280 But before we move on, I have a thought-provoking question for our listeners. 287 00:14:47,280 --> 00:14:53,280 If you were an attacker, which Kerberos exploit would you be most likely to use and why? 288 00:14:53,280 --> 00:14:55,280 Put yourself in their shoes for a minute. 289 00:14:55,280 --> 00:14:58,280 That's a great question. It really makes you think like an attacker. 290 00:14:58,280 --> 00:15:01,280 And consider which vulnerabilities would be most appealing. 291 00:15:01,280 --> 00:15:04,280 Exactly. It helps you understand their motivations and their tactics. 292 00:15:04,280 --> 00:15:07,280 And hopefully it encourages you to strengthen your own defenses. 293 00:15:07,280 --> 00:15:09,280 Now, that's a valuable takeaway. 294 00:15:09,280 --> 00:15:12,280 So we've explored the world of Kerberos exploitation. 295 00:15:12,280 --> 00:15:17,280 We've tried to understand how the attackers think, and we've learned some ways to make our system stronger. 296 00:15:17,280 --> 00:15:23,280 But before we wrap up, I want to take a moment to appreciate how complex this whole Kerberos system really is. 297 00:15:23,280 --> 00:15:26,280 It really is an amazing protocol. Just think about it. 298 00:15:26,280 --> 00:15:33,280 It's designed to securely authenticate users and grant access to resources across a huge network. 299 00:15:33,280 --> 00:15:36,280 All while preventing things like eavesdropping and replay attacks. 300 00:15:36,280 --> 00:15:39,280 It's a pretty remarkable feat of engineering. 301 00:15:39,280 --> 00:15:44,280 Yeah, it is. And like any complex system, it has its vulnerabilities, which is what makes it so fascinating. 302 00:15:44,280 --> 00:15:47,280 But also a little bit scary from a security perspective. 303 00:15:47,280 --> 00:15:52,280 Definitely. And I think what's especially interesting about these attacks that we've been talking about 304 00:15:52,280 --> 00:15:56,280 is that they really highlight different aspects of the Kerberos architecture. 305 00:15:56,280 --> 00:16:01,280 Some of them, like pass the ticket or golden ticket, take advantage of the ticket granting process itself. 306 00:16:01,280 --> 00:16:08,280 While others like ASREP roasting or Kerber roasting target the encryption and hashing mechanisms. 307 00:16:08,280 --> 00:16:13,280 It's like the attackers are playing a game of chess, trying to outmaneuver the Kerberos system. 308 00:16:13,280 --> 00:16:15,280 That's a great analogy. 309 00:16:15,280 --> 00:16:18,280 And as defenders, we need to be thinking a few steps ahead, 310 00:16:18,280 --> 00:16:22,280 anticipating what they might do and making sure our defenses are strong enough. 311 00:16:22,280 --> 00:16:31,280 MKK talks a lot about the importance of understanding not just how these attacks work, but also WHY. 312 00:16:31,280 --> 00:16:33,280 Why do you think that is? 313 00:16:33,280 --> 00:16:35,280 Knowing the technical details is important. 314 00:16:35,280 --> 00:16:43,280 But understanding the motivations and the goals behind these attacks can actually help us do a better job of predicting and preventing them. 315 00:16:43,280 --> 00:16:45,280 Exactly. It's like profiling a criminal. 316 00:16:45,280 --> 00:16:50,280 The more you know about how they think and what they're after, the better chance you have of stopping them. 317 00:16:50,280 --> 00:16:55,280 Right. For example, if you understand why an attacker might go after a specific service account, 318 00:16:55,280 --> 00:17:01,280 or why they might choose one type of attack over another, that can give you valuable insights into their strategy. 319 00:17:01,280 --> 00:17:04,280 It's about connecting the dots and seeing the big picture. 320 00:17:04,280 --> 00:17:07,280 And I think that's a really important takeaway for everyone listening. 321 00:17:07,280 --> 00:17:09,280 Don't just get stuck on the technical details. 322 00:17:09,280 --> 00:17:14,280 Try to understand what the attackers are trying to achieve and what methods they're likely to use. 323 00:17:14,280 --> 00:17:16,280 It's all about thinking like the adversary. 324 00:17:16,280 --> 00:17:20,280 Which can actually be a really helpful tool in your security toolkit. 325 00:17:20,280 --> 00:17:24,280 So we were talking about how attackers are using these readily available tools. 326 00:17:24,280 --> 00:17:26,280 Yeah, like Mimicat's Kerbute Rubius. 327 00:17:26,280 --> 00:17:30,280 Exactly. And that anyone can download and use them. 328 00:17:30,280 --> 00:17:33,280 Yeah. It's kind of scary how easy it is to get your hands on them. 329 00:17:33,280 --> 00:17:37,280 Right. So it's not just nation-state hackers that we need to worry about anymore. 330 00:17:37,280 --> 00:17:39,280 It could be anyone with a little bit of technical knowledge. 331 00:17:39,280 --> 00:17:41,280 Pretty much anyone, yeah. 332 00:17:41,280 --> 00:17:47,280 That's why it's so important for organizations of all sizes to be really serious about Kerberos security. 333 00:17:47,280 --> 00:17:49,280 Don't just assume that it won't happen to you. 334 00:17:49,280 --> 00:17:51,280 Right. No one is immune to these attacks. 335 00:17:51,280 --> 00:17:54,280 Complacency is not going to fly in the cybersecurity world. 336 00:17:54,280 --> 00:17:55,280 Definitely not. 337 00:17:55,280 --> 00:17:57,280 Attackers will go after any weakness they can find. 338 00:17:57,280 --> 00:18:01,280 It doesn't matter what industry you're in or how big your company is. 339 00:18:01,280 --> 00:18:06,280 So it's not a matter of if you'll get targeted, it's WNN. 340 00:18:06,280 --> 00:18:08,280 Yeah. That's the reality, unfortunately. 341 00:18:08,280 --> 00:18:13,280 But the good news is that we have the tools and the knowledge to defend ourselves. 342 00:18:13,280 --> 00:18:15,280 Love that. We're not powerless. 343 00:18:15,280 --> 00:18:17,280 Nope. We've talked about so many different things. 344 00:18:17,280 --> 00:18:25,280 Strengthening passwords, limiting ticket lifetimes, restricting privileges, hatching systems, monitoring everything closely. 345 00:18:25,280 --> 00:18:28,280 Those are all things that we can do to make our networks more secure. 346 00:18:28,280 --> 00:18:31,280 Absolutely. And one of the most important things you can do is just keep learning. 347 00:18:31,280 --> 00:18:33,280 The threats are always changing. 348 00:18:33,280 --> 00:18:35,280 So we have to stay ahead of the curve. 349 00:18:35,280 --> 00:18:44,280 That's why resources like MKK's website, MITRE, ATT and CK, all these cybersecurity platforms, they're so valuable. 350 00:18:44,280 --> 00:18:46,280 Yeah. They keep us up to date on the latest threats. 351 00:18:46,280 --> 00:18:51,280 And they help us connect with other security professionals so we can all share knowledge and support each other. 352 00:18:51,280 --> 00:18:53,280 Right. That community is so important. 353 00:18:53,280 --> 00:18:54,280 Well, we've covered a lot of ground today. 354 00:18:54,280 --> 00:18:55,280 Yeah. 355 00:18:55,280 --> 00:18:59,280 But I think the big takeaway here is that we don't have to be afraid of these Kerberos attacks. 356 00:18:59,280 --> 00:19:05,280 If we understand how they work and we take steps to protect ourselves, we can make it much harder for the attackers to succeed. 357 00:19:05,280 --> 00:19:09,280 I agree. Knowledge is power and action is key. 358 00:19:09,280 --> 00:19:10,280 That's a great way to put it. 359 00:19:10,280 --> 00:19:14,280 Thanks for joining us on this deep dive into Kerberos exploitation. 360 00:19:14,280 --> 00:19:29,280 Until next time, stay curious, stay vigilant and stay secure.