Kerberos Abuses - AS-REP Roasting

First we need to understand what is kerberos and why is it used? it's already explained very well check the below link for an overview.

https://www.roguelynn.com/words/explain-like-im-5-kerberos/

Lets say you have a foothold and you have access to a user account, you can check if any user has kerberos preauth set, if you have powerview loaded, this command should provide all the users:

Get-DomainUser -PreauthNotRequired

courtesy: HarmJ0y https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

Found the user? Great!

Alternatively, the following we can also use the same author's ASREPRoast PS script, available below, clone it and load it to the session.

https://github.com/HarmJ0y/ASREPRoast

You may notice (at the time of writing) the repository is no longer current, but it still can be used. The active development is happening as part of GhostPack (more on this later).


* you may be wondering what's all this extensive redacting? I'm security conscious even while on CTFs! LOL

Now the fun / tiresome part is to crack the hash:

john --format:krb5asrep krb --wordlist /usr/share/wordlists/rockyou.txt

If you are not able to crack this hash? Sorry I won't be able to help you. Just joking, use some mangling rules, generate a more robust list. At this day and age I would still use Korelogic's rules, available below. I would change some things like years and things like that.

https://github.com/SpiderLabs/KoreLogic-Rules


So to summarise if you've seen someone for some reason would have disabled Pre-Auth (why would some disable Pre-Auth baffles me? and even the punters can't say :-), but you can think of a scenario if someone identified using BloodHound - Don't know how yet that a particular user has rights to modify a target user's account could they could unset the "Dont Require Preauth" setting?)

However for the attack to work you still need to have a weak password, and the pre-auth disabled.






Comments

Post a Comment

Popular posts from this blog

The correct way to install Jython (for Burpsuite)

You need to install Jython the correct way in order to ensure some of the Burp plugins work correctly. Some of these Burp plugins depend on Python libraries for e.g. requests, so installing Jython and then using  $ wget https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar $ java -jar jython-installer-2.7.2.jar -s -d /path/to/install/jython -t standard Further for e.g. if you need requests install it like this: Download requests-2.25.1.tar.gz from the official repo ( https://pypi.org/project/requests/#files ), then go to that directory in terminal, and type the following command, java -jar /Users/brutus/Downloads/jython-standalone-2.7.2.jar setup.py install
Read more

RFID cloning with Proxmark3 Easy

Image
In this post, I would like to explain how in a recent Red Team engagement, I successfully managed to clone an RFID Access Control card and gained entry into the premise. #TheKit The client was using HiD 125khz cards. I used "Proxmark 3 Easy" which is a low cost RFID cloning kit, is a stripped down version of the real “ Proxmark 3 RDV 2 ”. The "Proxmark3 easy" does not support several things like battery, relaying and doesn't have an amplifier, also it has a smaller memory. But the device is quite sufficient during a Red Team Physical engagement. It looks something like this when you order on Amazon. I wanted to build a mobile RFID cloning kit and use it for my Red Team engagements, but note with this setup the scanning distance of 6cm is useless in real engagements, I'm not that brave enough and you really have to get up close to clone a card so the setup initially didn't work, however I got lucky and me and my partner found a lost targe
Read more

Extracting an IPA; App distributed through Testflight

So in one of my iOS app pentest the app was distributed on TestFlight, I needed a clean IPA to makesure, I review the app after unpacking it. The option was for me to use a Jailbroken device and use Ext3nder, which allows the app to be re-packaged. Once you do that you could use SCP to download the IPA and use it to analyse or side load through xCode.
Read more