Kerberos has been a hot topic in the security community ever since Tim Medins' talk on Attacking Kerberos. This blog post is tailored to discuss a small subset of abusing Kerberos, ASPREP Roasting. This is possible when users that have the property 'Do not require Kerberos preauthentication' is set (UF_DONT_REQUIRE_PREAUTH). So how do we find accounts on the network with this option enabled? Well this option is stored within the
userAccountControl attribute for an account. Essentially, you can get an encrypted piece of data from any account in a Windows domain with this spoken configuration. This encrypted data can be cracked offline to obtain the victims password.
To speak more on the topic, anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message. This AS_REP message contains the chunk of data encrypted that is signed by the client key (the user),. Attackers can then crack that juicy part of the AP_REP message offline.
Plenty of research has been done on this by the community. I am simply writing my thoughts and understandings on the topic to print the information into my brain :). Below are some excellent resources with further detail:
Stealthbits - What is AS-REP Roasting?
Harmj0y - Roasting AS-REPs
Rubeus - C# toolset for raw Kerberos interaction and abuses.
Forest from HTB
1) Nmap the target to determine ports, service, protocols, etc. Definitely add the hostname to your /etc/hosts file.
2) Ldap anonymous bind allows a client (us) to connect and search the directory (bind and search) without logging in because binddn and bindpasswd are not needed. For most AD LDAP enumeration, I enjoy using these tools called windapsearch and ldeep.
If anonymous bind wasn't allowed (real world scenario), you can attempt to create a computer account to enumerate the domain/host. If we can get any user or computer to connect to our NTLM relay, we can create a computer account with ntlmrelayx. By default, any user in Active Directory can create up to 10 computer accounts. Check out this blog post by the man "Dirk-jan" to read up on what i'm talking about.
Because of this configuration, we can enumerate usernames by the masses, among other things.
It's important to know exactly what tools and their switches do. Right now, we are gathering users via ldap. Another way of enumerating users is through RPC protocol. Please notice the deltas. The svc-alfresco user is going to be our initial access.
3) ASRep Roast the svc-alfresco user using GetNPNUsers.py from impacket.
4) Hashcat action
5) Now that we may have some valid credentials, lets get a shell on the box. We can use the WinRM shell.
6) (OPTIONAL) Build your neo4j server and run bloodhound to feed the gather data.
7) Bloodhound provides us with a graphical representation of what we can query will LDAP being an authenticated user. As we can see, we are a member of quite a few groups.
8) We can utilize the bloodhound data to determine a path forward.
First of all, we have identify a second computer object. EXCH01.HTB.LOCAL. Interesting but not used to priv-esc for this machine. I'm sure there is a way. Didn't truly explore it for this post.
Additionally, we are a member of the "Account Operators" group which has GenericAll rights to "Exchange Windows Permissions" (EWP). EWP who holds an interesting attribute against htb.local, WriteDacl. You can read about these attributes in this awesome post. First, GenericAll against the EWP group gives us the ability to add other principals to a group, change a user password without knowing its current value, register an SPN with a user object, etc. We can add svc-alfresco as a member of that group.
Lastly, the WriteDacl attribute gives us the ability to take "full control" of the target object. In this case, the htb.local domain. This means we can give DCSync rights to a domain user account (ours). DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.
Now we discuss another tool called PowerView. You likely have used it already so I won't discuss it much. It's a must for any blue/red teamer out there dealing with AD security. In short, once I make myself part of the "EXCHANGE WINDOWS PERMISSIONS" group, I can add then add three very important rights to svc-alfresco. See them below:
Here are steps to DCSync:
Step 1) Add myself to the group
Step 2) Kill that PSSession. Reason being, I want to make sure my process is running with the context of being part of that group.
Step 3) Add DCSync Rights (The three from above).
Step 4) Run secretsdump.py from impacket to collect your loot.
Step 5) You can crack from NTLM Hashes, Create a Golden Ticket, PTH, whatever.
Thank you if you read this far. Hope you enjoyed the quick explanation and HTB walkthrough. Feel free to reach out for any inaccurate information or if I need to explain something a bit better. Happy New Year! #2020