Kerberos has been a hot topic in the security community ever since Tim Medins' talk on Attacking Kerberos. This blog post is tailored to discuss a small subset of abusing Kerberos, ASPREP Roasting. This is possible when users that have the property 'Do not require Kerberos preauthentication' is set (UF_DONT_REQUIRE_PREAUTH). So how do we find accounts on the network with this option enabled? Well this option is stored within the userAccountControl attribute for an account. Essentially, you can get an encrypted piece of data from any account in a Windows domain with this spoken configuration. This encrypted data can be cracked offline to obtain the victims password.

To speak more on the topic, anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message. This AS_REP message contains the chunk of data encrypted that is signed by the client key (the user),. Attackers can then crack that juicy  part of the AP_REP message offline.

Plenty of research has been done on this by the community. I am simply writing my thoughts and understandings on the topic to print the information into my brain :). Below are some excellent resources with further detail:

Stealthbits - What is AS-REP Roasting?

Harmj0y - Roasting AS-REPs

Rubeus - C# toolset for raw Kerberos interaction and abuses.

ired.team - Awesome work by  @spotless.

Forest from HTB

1) Nmap the target to determine ports, service, protocols, etc. Definitely add the hostname to your /etc/hosts file.

nmap -sC -sV <IP>

2) Ldap anonymous bind allows a client (us) to connect and search the directory (bind and search) without logging in because binddn and bindpasswd are not needed. For most AD LDAP enumeration, I enjoy using these tools called windapsearch and ldeep.

successful anonymous bind. 

If anonymous bind wasn't allowed (real world scenario), you can attempt to create a computer account to enumerate the domain/host. If we can get any user or computer to connect to our NTLM relay, we can create a computer account with ntlmrelayx. By default, any user in Active Directory can create up to 10 computer accounts. Check out this blog post by the man "Dirk-jan" to read up on what i'm talking about.

Because of this configuration, we can enumerate usernames by the masses, among other things.

pip3 install ldeep #easy

It's important to know exactly what tools and their switches do. Right now, we are gathering users via ldap. Another way of enumerating users is through RPC protocol. Please notice the deltas. The svc-alfresco user is going to be our initial access.

rpcclient -U "" -N 10.10.10.161

3) ASRep Roast the svc-alfresco user using GetNPNUsers.py from impacket.

GetNPNUsers.py

4) Hashcat action

root@pwnbox:-/Desktop/htb-boxes/161-Forest# hashcat 
hashcat (v5.1.O) starting... 
OpenCL Platform #1: The pocl project 
-m 18200 TGT /usr/share/wordlists/rockyou. txt 
-force 
* Device #1: pthread-1nte1(R) core(TM) 17-8700K CPU @ 3.70GHZ, 2048/5930 MB allocatable, 
Hashes: 1 digests; 1 unique digests, 1 unique salts 
Bitmaps: 16 bits, 65536 entries, OxOOOOffff mask, 262144 bytes, 5/13 rotates 
Rules: 1 
Applicable optimizers: 
* Zero-Byte 
* Not-iterated 
* Single-Hash 
* Single-Salt 
Minimum password length supported by kernel: O 
Maximum password length supported by kernel: 256 
ATTENTION! Pure (unoptimized) OpenCL kernels selected. 
4MCU 
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. 
If you want to switch to optimized OpenCL kernels, append -O to your commandline. 
Watchdog: Hardware monitoring interface not found on your system. 
Watchdog: Temperature abort trigger disabled. 
* Device #1: build opts 
-cl-std=CL1.2 -1 opencL -1 -D LOCAL MEM TYPE=2 
-D VENDOR ID=64 
ST RI-I -D DGST R2=2 -D DGST R3=3 -D DGST ELEM=4 -D KERN TYPE=18200 -D unroll' 
* Device #1: Kernel m18200 aO-pure.Oa6a289d.kernel not found in cache! Building may take a while... 
Dictionary cache hit: 
-D CUDA ARCH=O 
-D AMD ROCM=O 
-D VECT SIZE=8 
-D DEVICE TYPE=2 
-D DGST RO=O 
* Filename... 
* Passwords.. 
* Keyspace.. : 
/usr/share/wordlists/ rockyou . txt 
14344385 
139921507 
14344385 
$krb5asrep$23$svc-a1fresco@HTB . LOCAL : 
le558f52a7coa2c51f6a2b4dd40 
556e21a22129b15b72b65f2684c7b000f9c95fff21a5939fce1e3fe19e8ba3b8831d92587304af085f5b3641f47698ad38460c8b6f5070266a27b5b1f0855c463520a5fe52a1f400
hashcat mode 18200

5) Now that we may have some valid credentials, lets get a shell on the box. We can use the WinRM shell.

WinRM.rb

6) (OPTIONAL) Build your neo4j server and run bloodhound to feed the gather data.

7) Bloodhound provides us with a graphical representation of what we can query will LDAP being an authenticated user. As we can see, we are a member of quite a few groups.

Loading SharpHound.ps1 into memory and executing the Invoke-Bloodhound function
Moving zipped file over to my attacking host.
Bloodhound UI -> Nice!
svc-alfresco has a lot going on!

8) We can utilize the bloodhound data to determine a path forward.

FOREST/EXCH01
GenericAll & WriteDacl

First of all, we have identify a second computer object. EXCH01.HTB.LOCAL. Interesting but not used to priv-esc for this machine. I'm sure there is a way. Didn't truly explore it for this post.

Additionally, we are a member of the "Account Operators" group which has GenericAll rights to "Exchange Windows Permissions" (EWP). EWP who holds an interesting attribute against htb.local, WriteDacl.  You can read about these attributes in this awesome post. First, GenericAll against the EWP group gives us the ability to add other principals to a group, change a user password without knowing its current value, register an SPN with a user object, etc. We can add svc-alfresco as a member of that group.

Lastly, the WriteDacl attribute gives us the ability to take "full control" of the target object. In this case, the htb.local domain. This means we can give DCSync rights to a domain user account (ours). DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.

Now we discuss another tool called PowerView. You likely have used it already so I won't discuss it much. It's a must for any blue/red teamer out there dealing with AD security.  In short, once I make myself part of the "EXCHANGE WINDOWS PERMISSIONS" group, I can add then add three very important rights to svc-alfresco. See them below:

Image from ired.team

Here are steps to DCSync:

Step 1) Add myself to the group

Step 2) Kill that PSSession. Reason being, I want to make sure my process is running with the context of being part of that group.

Step 3) Add DCSync Rights (The three from above).

Step 4) Run secretsdump.py from impacket to collect your loot.

Step 5) You can crack from NTLM Hashes, Create a Golden Ticket, PTH, whatever.

DCSync and Secretsdump
pth-winexe

Thank you if you read this far. Hope you enjoyed the quick explanation and HTB walkthrough. Feel free to reach out for any inaccurate information or if I need to explain something a bit better. Happy New Year! #2020