0:00:00.799,0:00:02.600
What's going on, guys? Welcome back to

0:00:02.600,0:00:05.669
this video. Today, we're doing another TryHackMe video,

0:00:05.669,0:00:07.000
and we're going to focus

0:00:07.000,0:00:09.400
on the Security Engineer track. We

0:00:09.400,0:00:11.000
have reached Active Directory

0:00:11.000,0:00:12.759
hardening, which will be the

0:00:12.759,0:00:15.519
subject of this video. There are some methods

0:00:15.519,0:00:16.840
discussed,

0:00:16.840,0:00:19.039
and I say "some" because there are

0:00:19.039,0:00:22.199
many methods to harden and secure Active

0:00:22.199,0:00:25.359
Directory, meaning Windows Server

0:00:25.359,0:00:27.800
with Active Directory. But here there are

0:00:27.800,0:00:29.160
some methods that are discussed. We're

0:00:29.160,0:00:30.400
going to go over these methods and we're

0:00:30.400,0:00:32.200
going to answer a couple questions and

0:00:32.200,0:00:34.719
try to make this as simple as I

0:00:34.719,0:00:39.000
can. And for my members, I released a new

0:00:39.000,0:00:42.280
note file. It’s under the Blue Team

0:00:42.280,0:00:45.640
track, in the Blue Team notes, and it’s

0:00:45.640,0:00:47.760
called Windows Security. You’ll find

0:00:47.760,0:00:50.879
this in the Google Drive notes. Alright,

0:00:50.879,0:00:53.104
let’s get back to the room.

0:00:53.104,0:00:57.520
So we have a machine to spawn. We're going to

0:00:57.520,0:01:00.469
click on "Start the machine,"

0:01:01.359,0:01:04.319
so basically, Task 2 is about

0:01:04.319,0:01:08.400
concepts on Active Directory. It’s not

0:01:08.400,0:01:11.640
a comprehensive list or comprehensive,

0:01:11.640,0:01:14.360
you know, it doesn't contain

0:01:14.360,0:01:16.560
everything about Active Directory, but

0:01:16.560,0:01:17.720
if you're going through Active

0:01:17.720,0:01:19.200
Directory hardening, you must know what a

0:01:19.200,0:01:22.040
domain is, what a domain controller is, and the

0:01:22.040,0:01:23.680
definitions of trees and forests. We are

0:01:23.680,0:01:25.840
going to talk about this, but

0:01:25.840,0:01:27.400
there are two questions here. One

0:01:27.400,0:01:29.640
question is, "What is the root domain in

0:01:29.640,0:01:33.680
the attached AD machine?" So, basically, here

0:01:33.680,0:01:34.540
let’s see...

0:01:35.850,0:01:39.669
the machine is still starting.

0:01:39.669,0:01:43.209
Here we have TryHackMe.IOC

0:01:43.209,0:01:46.139
is the root domain, and ZA.TryHackMe

0:01:46.139,0:01:50.010
is not a subdomain; it’s called a child domain.

0:01:50.010,0:01:50.880
So, both

0:01:50.880,0:01:56.490
these domains exist under the same tree.

0:01:56.490,0:01:58.880
We call it a tree because

0:01:58.880,0:02:01.439
it contains more than one domain.

0:02:01.759,0:02:03.920
Now, the subject of this video will be

0:02:03.920,0:02:07.019
securing authentication methods

0:02:07.019,0:02:10.038
and the other tasks. So, let’s

0:02:10.038,0:02:11.720
first make sure that the machine is up

0:02:11.720,0:02:14.301
and running, and then click on Split View.

0:02:20.890,0:02:24.400
Okay, going to Task 3. In

0:02:24.400,0:02:30.470
Task 3, we have the LAN Manager hash, SMB

0:02:30.470,0:02:31.160
signing,

0:02:31.160,0:02:33.560
LDAP signing,

0:02:33.560,0:02:36.600
password policies, and rotation,

0:02:36.600,0:02:38.640
along with some suggestions on

0:02:38.640,0:02:41.920
password policies. These are settings

0:02:41.920,0:02:44.080
that you can configure on your Active

0:02:44.080,0:02:46.000
Directory to make sure that the

0:02:46.000,0:02:49.000
authentication process is secure, meaning

0:02:49.000,0:02:50.870
MITM attacks

0:02:50.870,0:02:54.000
have little to no chance of succeeding.

0:02:54.000,0:02:55.840
At the same time, you configure a strong

0:02:55.840,0:02:59.570
password policy for your users.

0:03:00.400,0:03:02.440
Simultaneously, in Task 4, they

0:03:02.440,0:03:05.990
talk about general security

0:03:05.990,0:03:09.200
concepts. For example,

0:03:09.200,0:03:11.700
role-based access control,

0:03:12.599,0:03:14.480
methods of access control, the principle

0:03:14.480,0:03:16.760
of least privilege--these are all

0:03:16.760,0:03:19.560
general security controls that you can

0:03:19.560,0:03:21.599
apply to Active Directory or

0:03:21.599,0:03:24.000
Windows Server Active Directory.

0:03:24.000,0:03:25.470
There are two questions here:

0:03:25.470,0:03:27.959
"Computers and printers must

0:03:27.959,0:03:30.159
be added to Tier 0?" This is about the

0:03:30.159,0:03:33.120
tiered access model. The tiered

0:03:33.120,0:03:35.000
access model is not discussed in

0:03:35.000,0:03:38.439
CompTIA Security+. So here,

0:03:38.439,0:03:41.200
I’m preparing a note file for you guys to help you

0:03:41.200,0:03:44.519
prepare for CompTIA Security+.

0:03:44.519,0:03:48.969
In CompTIA Security+,

0:03:48.969,0:03:50.799
there are certain

0:03:50.799,0:03:53.599
models for access control. Oh my

0:03:53.599,0:03:56.959
god, there are many things about access control: access

0:03:56.959,0:04:01.400
control methods, models. It’s

0:04:01.400,0:04:05.400
just too hard to find them... MAC,

0:04:12.439,0:04:16.650
okay... As you can see, in CompTIA Security+,

0:04:16.650,0:04:18.238
we discuss discretionary

0:04:18.238,0:04:20.320
access control, role-based,

0:04:20.320,0:04:22.639
mandatory, and rule-based

0:04:22.639,0:04:24.639
access control as well. If you scroll

0:04:24.639,0:04:27.479
down, you’ll find it--

0:04:27.479,0:04:30.759
maybe rule--based access control. All of

0:04:30.759,0:04:32.440
these access controls

0:04:32.440,0:04:36.720
are used depending on the

0:04:36.720,0:04:39.360
scenario or the organization. A

0:04:39.360,0:04:42.759
tiered access model groups your

0:04:42.759,0:04:44.840
resources based on tiers. For example,

0:04:44.840,0:04:47.960
Tier 0 includes top-level

0:04:47.960,0:04:50.759
resources such as admin

0:04:50.759,0:04:53.000
accounts, domain controllers, and

0:04:53.000,0:04:57.320
groups. Tier 1 contains applications and

0:04:57.320,0:05:01.560
servers, and Tier 2 consists of end-user devices. The

0:05:01.560,0:05:04.320
higher the tier, the less sensitive it

0:05:04.320,0:05:07.639
becomes. So, as you can see, Tier 0, it's

0:05:07.639,0:05:10.320
the highest, contains the highest

0:05:10.320,0:05:12.240
sensitive resources such as admin

0:05:12.240,0:05:14.160
accounts, domain controllers, and groups. So

0:05:14.160,0:05:16.160
here, the question is: "Computers and

0:05:16.160,0:05:19.880
printers must be added to Tier 0?" Nope,

0:05:19.880,0:05:22.320
because computers and printers are endpoints,

0:05:22.320,0:05:24.240
so we can add them to Tier 2.

0:05:24.240,0:05:25.919
Suppose a vendor arrives at your

0:05:25.919,0:05:29.680
facility for a two-week visit task.

0:05:29.680,0:05:31.639
Being a system administrator, should you

0:05:31.639,0:05:34.800
create a high-privileged account for him?

0:05:34.800,0:05:38.710
Nope, because this goes to role-based

0:05:38.710,0:05:40.960
access control. In role-based access

0:05:40.960,0:05:43.800
control, we assign people

0:05:43.800,0:05:47.319
resources and permissions based on their

0:05:47.319,0:05:50.600
job. Additionally, we apply the

0:05:50.600,0:05:53.669
principle of least privilege.

0:05:53.669,0:05:55.319
Least privilege, meaning... Least privilege

0:05:55.319,0:05:58.520
means that if they don't need access to

0:05:58.520,0:06:00.840
a certain resource, we don’t grant them

0:06:00.840,0:06:03.160
permission to access that

0:06:03.160,0:06:05.360
resource depending on your job

0:06:05.360,0:06:07.880
description and on your needs as well.

0:06:07.880,0:06:11.023
Okay, so finally, the machine has started.

0:06:12.039,0:06:13.720
Alright, we’re going to

0:06:13.720,0:06:16.560
demonstrate Task 3 now. Alright. So,

0:06:16.560,0:06:18.080
we’re going to allow this, and we’re

0:06:18.080,0:06:22.560
going to start with GPEDIT,

0:06:22.560,0:06:25.199
the Group Policy Editor. Most of the

0:06:25.199,0:06:27.039
policies you configure in Active

0:06:27.039,0:06:30.240
Directory, whether to harden, secure, or

0:06:30.240,0:06:33.720
even to set certain settings, are done

0:06:33.720,0:06:36.160
via the Group Policy Editor.

0:06:36.160,0:06:39.319
So it’s good practice to

0:06:39.319,0:06:43.000
go over the policies here and understand

0:06:43.000,0:06:44.440
what every single one of them... the

0:06:44.440,0:06:46.599
purpose of every single one of them. So

0:06:46.599,0:06:47.800
the first thing we're going to do is the

0:06:47.800,0:06:50.120
LAN Manager Hash.

0:06:50.120,0:06:52.120
So here, we're going to make sure

0:06:52.120,0:06:55.960
that Windows stores the hashes for the

0:06:55.960,0:06:59.440
user’s password in NTLM, not

0:06:59.440,0:07:02.120
not LM, because LM is relatively

0:07:02.120,0:07:04.960
weaker than NTLM, right? And is

0:07:04.960,0:07:06.759
vulnerable to brute-force attacks. So we

0:07:06.759,0:07:08.400
make sure that the passwords or

0:07:08.400,0:07:10.819
hashes are stored

0:07:10.819,0:07:13.240
in NTLM. What

0:07:13.240,0:07:14.400
we’re going to do here is go

0:07:14.400,0:07:16.319
to Computer Configuration, as you can see

0:07:16.319,0:07:17.840
here, and then go to

0:07:17.840,0:07:20.840
Policies, Windows Settings. In Windows

0:07:20.840,0:07:23.319
Settings, we expand this

0:07:23.319,0:07:27.020
(the machine is too slow, frustrating...)

0:07:27.020,0:07:29.039
Okay. Security Settings--we can

0:07:29.039,0:07:32.080
highlight this and expand to Local

0:07:32.080,0:07:34.120
Policies. If we expand Local

0:07:34.120,0:07:36.919
Policies, we go to Security Options, and

0:07:36.919,0:07:41.840
from Security Options, we have the

0:07:41.840,0:07:43.560
security policies. So as you can see,

0:07:43.560,0:07:47.759
there’s one here about the

0:07:47.759,0:07:50.952
LAN Manager. Let’s see where it is.

0:07:54.440,0:07:58.520
It starts with "Don’t store..." Let’s

0:07:58.520,0:07:59.999
see where it is...

0:08:01.549,0:08:04.539
Yeah, this is done.

0:08:04.539,0:08:07.080
Properties--NetworkSecure--don’t store

0:08:07.080,0:08:09.479
LAN Manager hash value on next password

0:08:09.479,0:08:11.919
change. By default, this is enabled,

0:08:11.919,0:08:13.599
which is good. Make sure on your end

0:08:13.599,0:08:16.560
this is enabled because you don’t want

0:08:16.560,0:08:20.400
the password to be stored as an LM hash

0:08:20.400,0:08:23.080
because it's going to be susceptible to

0:08:23.080,0:08:24.520
brute-force attacks. It's going to be

0:08:24.520,0:08:26.720
easily cracked. Alright, that’s the

0:08:26.720,0:08:30.039
first thing to securing... or that's the

0:08:30.039,0:08:31.959
first thing you can do to secure Active

0:08:31.959,0:08:35.240
Directory. The other thing is SMB signing.

0:08:35.240,0:08:38.120
SMB (Server Message Block) is

0:08:38.120,0:08:40.479
the protocol responsible for file and

0:08:40.479,0:08:41.880
printer sharing. So, if you have file

0:08:41.880,0:08:44.279
sharing or printer sharing enabled, this

0:08:44.279,0:08:46.399
protocol is most probably enabled. The

0:08:46.399,0:08:49.160
problem is that the communications happen

0:08:49.160,0:08:51.680
in clear text, so it’s vulnerable to MITM

0:08:51.680,0:08:56.000
attacks. So in order to prevent this, we're

0:08:56.000,0:08:57.920
going to need to configure some security

0:08:57.920,0:08:59.440
policies Again, we go back to

0:08:59.440,0:09:02.320
Windows Settings, then to Security

0:09:02.320,0:09:07.880
Settings, back to Local Policies, Security Options,

0:09:08.560,0:09:12.519
and we’ll look for the

0:09:12.519,0:09:14.320
digitally signed

0:09:14.320,0:09:16.760
communication. Let’s see where it is--

0:09:16.760,0:09:19.241
Digitally Sign Secure Channel.

0:09:20.720,0:09:24.320
Microsoft Network,

0:09:24.360,0:09:27.240
this is the one. Digitally Sign

0:09:27.240,0:09:30.240
Communication, properties. It is disabled,

0:09:30.240,0:09:32.320
so we’ll make sure this is

0:09:32.320,0:09:35.680
enabled. If we go to the "Explain" section, you

0:09:35.680,0:09:37.959
can see more information about this.

0:09:37.959,0:09:40.600
Digitally signed communications. The

0:09:40.600,0:09:42.440
security setting determines whether

0:09:42.440,0:09:46.170
packet signing is required by the SMB client component.

0:09:46.170,0:09:48.920
So, you want the

0:09:48.920,0:09:50.880
communications through SMB to be signed

0:09:50.880,0:09:53.160
and not available to MITM attacks. So you need

0:09:53.160,0:09:56.452
to... Or, therefore, you need to enable this.

0:09:57.600,0:09:59.640
Alright.

0:09:59.640,0:10:02.839
Another thing for securing protocols

0:10:02.839,0:10:05.760
in Active Directory is the LDAP protocol.

0:10:05.760,0:10:08.160
LDAP is the main protocol that Active Directory is

0:10:08.160,0:10:10.640
based on; it’s a Lightweight

0:10:10.640,0:10:14.399
Directory Access Protocol. We also

0:10:14.399,0:10:17.000
want to secure the communications

0:10:17.000,0:10:19.839
based on that protocol to prevent MITM attacks.

0:10:19.839,0:10:20.839
So, what we’re going to do again.

0:10:20.839,0:10:23.440
Also, to enable the signing of these

0:10:23.440,0:10:26.839
communications. On the same pane

0:10:26.839,0:10:28.680
here, we’ll find the Domain

0:10:28.680,0:10:31.640
Controller section, and then we’ll

0:10:31.640,0:10:34.839
look for LDAP Server Channel Binding

0:10:34.839,0:10:38.313
Tokens and LDAP Server Signing Requirements.

0:10:42.200,0:10:44.519
Modifying the setting

0:10:44.519,0:10:46.040
may affect compatibility with

0:10:46.040,0:10:48.839
clients. Here, it doesn’t allow me to

0:10:48.839,0:10:50.639
enable it for some reason related to

0:10:50.639,0:10:54.820
this explanation, but usually, this needs to be enabled.

0:10:56.399,0:10:59.800
The most important part

0:10:59.800,0:11:02.399
of this video is the password

0:11:02.399,0:11:04.720
policies. Password policies can be

0:11:04.720,0:11:08.519
configured from... oh, we’re going to go

0:11:08.519,0:11:10.639
back to Security Settings and we're

0:11:10.639,0:11:12.760
going to check on Account Policies.

0:11:12.760,0:11:14.480
So, Account Policy--there’s a

0:11:14.480,0:11:16.399
Password Policy here, and from here, we

0:11:16.399,0:11:19.639
can configure the minimum and maximum

0:11:19.639,0:11:22.160
length of the password, the complexity,

0:11:22.160,0:11:24.240
the age, and so on. For example,

0:11:24.240,0:11:26.600
as you can see here, the maximum age

0:11:26.600,0:11:29.680
of the password is 42 days, which means after

0:11:29.680,0:11:32.560
42 days, your users will be prompted to

0:11:32.560,0:11:34.530
change their password.

0:11:35.160,0:11:37.279
That’s the maximum age, and

0:11:37.279,0:11:39.040
that's the minimum age is

0:11:39.040,0:11:41.120
one, meaning you cannot change your

0:11:41.120,0:11:44.120
password during the first day of the

0:11:44.120,0:11:46.399
assignment. Here we have a minimum password

0:11:46.399,0:11:48.223
length of seven characters.

0:11:49.560,0:11:53.079
These are some

0:11:53.079,0:11:54.959
settings you can see. There

0:11:54.959,0:11:57.279
are some questions to answer, so let’s

0:11:57.279,0:12:00.079
scroll down. Yeah, change the... "What’s

0:12:00.079,0:12:02.240
the default minimum password length?" It

0:12:02.240,0:12:04.639
was seven, as you can see here.

0:12:04.639,0:12:08.800
Going back and showing it one more time

0:12:08.800,0:12:11.920
to you guys: seven characters. Alright,

0:12:11.920,0:12:14.160
these are some

0:12:14.160,0:12:16.240
policies that you can enable to harden

0:12:16.240,0:12:19.800
your Active Directory or to secure

0:12:19.800,0:12:22.240
the authentication. Additionally,

0:12:22.240,0:12:25.720
in Task 5, there’s this nice new tool

0:12:25.720,0:12:27.560
that I hadn’t heard of before: the

0:12:27.560,0:12:31.240
Microsoft Security Compliance Toolkit.

0:12:31.240,0:12:33.360
So, this tool...

0:12:33.790,0:12:38.000
Let’s go to the relative folder. Scripts,

0:12:38.279,0:12:42.360
open that... Okay,

0:12:43.240,0:12:46.000
opening the link of the tool. If

0:12:46.000,0:12:48.399
you download this tool, it will give you

0:12:48.399,0:12:50.720
recommendations and ready

0:12:50.720,0:12:53.240
templates that you can download and

0:12:53.240,0:12:54.720
configure Active Directory. If you don’t

0:12:54.720,0:12:56.800
know what to do and what

0:12:56.800,0:12:59.279
policies to configure, you can

0:12:59.279,0:13:02.760
download this tool and retrieve ready

0:13:02.760,0:13:05.480
templates to configure. For example, on

0:13:05.480,0:13:08.480
Group Policy, there are already-made

0:13:08.480,0:13:12.240
configurations. For example, here’s the

0:13:12.240,0:13:15.720
Windows Server 2019 Security Baseline

0:13:15.720,0:13:18.560
downloaded from the tool itself.

0:13:18.560,0:13:22.279
To illustrate further, in the figures

0:13:22.279,0:13:23.560
here, as you can see, when you run this

0:13:23.560,0:13:26.320
tool, it gives you the templates.

0:13:26.320,0:13:29.399
Now here, Windows Server 2022

0:13:29.399,0:13:32.920
Security Baseline zip--this is a zip file, and

0:13:32.920,0:13:35.399
it was downloaded to this machine.

0:13:35.399,0:13:38.210
Once downloaded, you can see the relative folder.

0:13:38.210,0:13:39.880
If you open it and go to Local

0:13:39.880,0:13:42.360
Scripts, you can see the PowerShell script

0:13:42.360,0:13:46.959
that, if you run it, will configure

0:13:46.959,0:13:50.120
the settings based on this baseline.

0:13:50.120,0:13:52.519
So, the baseline is actually a

0:13:52.519,0:13:54.800
collection and combination of

0:13:54.800,0:13:56.839
configurations that ensure your

0:13:56.839,0:14:00.920
Windows Server is secure based on a specific

0:14:00.920,0:14:03.880
baseline, right? And you can use this as a

0:14:03.880,0:14:05.959
start if you don’t know what to do.

0:14:05.959,0:14:09.959
Additionally, there’s the Policy

0:14:09.959,0:14:14.120
Analyzer. Again, guys, these can be

0:14:14.120,0:14:16.160
downloaded by running the tool on your

0:14:16.160,0:14:18.040
machine and then selecting the

0:14:18.040,0:14:20.040
configuration you want. It will be

0:14:20.040,0:14:21.440
downloaded in a zip file, and you can

0:14:21.440,0:14:23.800
extract and see it this way. The Policy

0:14:23.800,0:14:25.720
Analyzer analyzes the Group Policy

0:14:25.720,0:14:30.680
settings in your environment, okay,

0:14:31.279,0:14:35.320
and as you can see here, you have the demonstrations.

0:14:37.040,0:14:39.079
So, if you go back here to

0:14:39.079,0:14:41.639
Policy Analyzer, you can see these are

0:14:41.639,0:14:44.720
the scripts that, if you run them, will

0:14:44.720,0:14:47.600
configure your Group Policy based on the

0:14:47.600,0:14:49.800
settings. Let’s go over one of them. So, if

0:14:49.800,0:14:52.720
you go back to the Windows Server Security

0:14:52.720,0:14:56.680
Baseline and check the GPOs,

0:14:57.680,0:15:01.320
as you can see, these GPOs can be

0:15:01.320,0:15:03.839
directly imported to your Group Policy

0:15:03.839,0:15:06.957
Editor based on the machine and the user.

0:15:09.600,0:15:13.920
If you open this in XML format,

0:15:20.279,0:15:23.049
hopefully, it’s going to open...

0:15:29.920,0:15:35.289
yeah, see, guys, these are the configurations.

0:15:37.079,0:15:39.360
Now, the best thing to do

0:15:39.360,0:15:42.040
is to import them into your security or

0:15:42.040,0:15:46.880
Group Policy Editor (LGPO).

0:15:46.880,0:15:50.139
As you can see, this is an executable file.

0:15:50.139,0:15:52.480
Alright, so on the task here,

0:15:52.480,0:15:55.120
there’s “Find and open Baseline Local

0:15:55.120,0:15:58.199
Install script” and “Find the flag.” Let’s

0:15:58.199,0:15:59.720
go here and see where that script is--

0:15:59.720,0:16:02.079
Local Script--and there’s Baseline Local

0:16:02.079,0:16:05.440
Install. Let’s open this and see what it does.

0:16:17.959,0:16:21.199
Okay, so the description says:

0:16:21.199,0:16:23.040
“Applies a Windows Security Configuration

0:16:23.040,0:16:25.959
baseline to a local Group Policy.

0:16:25.959,0:16:28.360
Execute the script with one of

0:16:28.360,0:16:30.600
these required command line switches to

0:16:30.600,0:16:33.279
install the corresponding baseline.”

0:16:33.279,0:16:37.120
So here you specify you execute

0:16:37.120,0:16:39.880
this either on a domain controller or on

0:16:39.880,0:16:42.600
a domain-joined machine. Requirements:

0:16:42.600,0:16:44.759
PowerShell execution policy,

0:16:44.759,0:16:47.880
domain-joined machine. And this is the flag.

0:16:47.880,0:16:49.800
So, as you can see, guys, these

0:16:49.800,0:16:51.600
are a set of configurations that will be

0:16:51.600,0:16:54.040
applied on any domain or any computer

0:16:54.040,0:16:55.279
you apply it to,

0:16:55.279,0:16:58.143
and it will configure the Group Policy

0:16:58.143,0:17:01.679
based on the mentioned configurations here.

0:17:12.439,0:17:16.160
Okay, the other question is: “Find and open the

0:17:16.160,0:17:18.679
Merge Policy Rule script

0:17:18.679,0:17:21.400
imported from Policy Analyzer

0:17:21.400,0:17:23.080
in PowerShell Editor.”

0:17:26.880,0:17:31.280
So, back to Policy Analyzer,

0:17:31.280,0:17:33.880
you can check the scripts. Merge

0:17:33.880,0:17:35.960
Policy--let’s take a look at the

0:17:35.960,0:17:40.360
script here. What does it do? So, Merge Policy Analyzer

0:17:40.400,0:17:44.080
policy files... What? Merge policy

0:17:44.080,0:17:46.440
analyzer policy rule files into one

0:17:46.440,0:17:49.120
policy rule set written into the pipeline.

0:17:49.120,0:17:51.799
So, one of the things that

0:17:51.799,0:17:54.200
Policy Analyzer does is that

0:17:54.200,0:17:57.919
it gets rid of redundant policies

0:17:57.919,0:18:00.000
configured in GPO.

0:18:00.000,0:18:03.710
If you scroll down, as you can see, this is the flag.

0:18:06.080,0:18:08.799
Other questions we have to ask:

0:18:08.799,0:18:11.080
These are the common attacks against

0:18:11.080,0:18:12.520
Active Directory. We have discussed many

0:18:12.520,0:18:14.120
rooms on Active Directory penetration

0:18:14.120,0:18:15.799
testing; you can get back with them, guys, and

0:18:15.799,0:18:19.320
see how attacks are conducted against

0:18:19.320,0:18:21.760
these kinds of environments. So, does Kerberos

0:18:21.760,0:18:23.480
Tasting utilize an offline attack,

0:18:23.480,0:18:25.520
scanning for cracking encrypted passwords? We

0:18:25.520,0:18:26.880
explained previously, guys, about Kerberos

0:18:26.880,0:18:30.440
Tasting. I'm just going to go through this again, and

0:18:30.440,0:18:32.120
the answer is yes, it's offline because,

0:18:32.120,0:18:34.440
at the end, you take the

0:18:34.440,0:18:38.269
ticket and crack it offline as per the generated report.

0:18:38.269,0:18:39.120
How many users have

0:18:39.120,0:18:41.840
the same password as Aaron Booth? For

0:18:41.840,0:18:43.600
you guys who are asking, "Where is the

0:18:43.600,0:18:47.440
report?" The report is here. If you go

0:18:47.440,0:18:50.919
to the image here, you click on it and

0:18:50.919,0:18:52.559
see--this is the report.

0:18:52.559,0:18:59.600
These are the usernames who have the same password.

0:18:59.600,0:19:02.760
As you can see, Aaron Booth’s...

0:19:02.760,0:19:04.960
The number of accounts with the

0:19:04.960,0:19:07.229
same password is 186.

0:19:08.159,0:19:11.720
Lastly, this is a cheat sheet from

0:19:11.720,0:19:16.159
TryHackMe. You can download it to take

0:19:16.159,0:19:17.480
a look at more details on Active

0:19:17.480,0:19:21.480
Directory hardening. So that was it, guys.

0:19:21.480,0:19:23.880
I hope you enjoyed the video, and

0:19:23.880,0:19:26.661
definitely, I’m going to see you later to complete this track.