Kerberoasting and Silver Tickets

Kerberoasting is an attack allowing an attacker to crack Active Directory (AD) service account passwords offline, and with no fear of detection. 

Developed by Tim Medin, Kerberoasting relies on the fact that when an AD user requests access to a service, they receive back a Kerberos ticket signed with the NTLM hash of the account running the service, which an attacker can steal — even if they are a regular domain user — and crack elsewhere.

With that service account password in hand, one can then forge a “silver ticket” for that service, creating opportunities for privilege escalation.

Continue reading “Kerberoasting and Silver Tickets”

Kalipot – Part 3: Monitoring The Data

So, we’ve set up a kali-lookalike Cowrie honeypot, and added some iptables rules to detect nmap scans. It would be nice, though, if we had some way to see what was going on other than opening a couple of shells and running tail -f /var/log/syslog | grep “<IPT>”.

So, let’s get our data somewhere useful.


I’m using Splunk in my home lab because it’s pretty powerful, and a single-host instance is relatively easy to set up compared to something like Graylog or an ELK stack.

Continue reading “Kalipot – Part 3: Monitoring The Data”

Kalipot – Part 2: Detecting Nmap Scans With IPTables

In part 1 of this series, I showed you how to set up and customize a Cowrie honeypot on a Raspberry Pi. In this part, I’ll show how to use iptables to detect nmap scans and attempts to connect to ports other than the honeypot running on port 22.

IPTables Basics

IPTables is a common Linux firewall tool installed by default on ubuntu and other Debian-based distributions, including Raspbian. It’s available for both ipv4 and ipv6 and is easy to manage via the command line.

Continue reading “Kalipot – Part 2: Detecting Nmap Scans With IPTables”

Kalipot – Part 1: Hardening SSH and Setting Up Cowrie

For the past year, I’ve been setting up honeypots and network sensors on the wifi network at local security conferences, watching to see what other people are doing on the network. For the most part, the answer has been ‘not much’. But I wanted to write this up to capture the howto knowledge.


The Cowrie honeypot  is a python application that simulates a ssh or telnet server, and will serve up a fake shell environment which can be tailored to resemble any kind of Linux distribution you like, with a fake directory tree and hosted files an attacker could examine or pillage. It supports logging in several formats, including syslog-like logs, JSON, Cuckoo, ELK and several different SQL databases.

Continue reading “Kalipot – Part 1: Hardening SSH and Setting Up Cowrie”