Skip to main content

Authentication Attacks

We will cover Active directory basics some important terminology and some major authentication mechanisms,


Attacks On Kerberos Authentication

Below Diagram displays the Kerberos Authentication flow and the attaks that can be performed on different stages.



01. AS-REP Roasting

If Do not require Kerberos preauthentication (DONT_REQ_PREAUTH) for a user is enabled, then AD does not validate the encrypted timestamp and skips the preauthentication, and sends AS-REP to the request, The TGT (AS-REP response) is encrypted with the user’s NTLM hash (derived from their password). Since an attacker can get this encrypted blob without authentication, it can be brute-forced offline.

Gear Up (Prereqs)

  • Domain Controllers IP
  • User:Pass for authentication

Using Impacket-GetNPUsers

This command will be used when launching the attack from the kali linux machine

impacket-GetNPUsers -dc-ip <DC-IP> -request -outputfile hashes.asreproast domain.com/user
info

user is the username which you have credential to, For this attack you have 2 options either you can pass the list of user name -usersfile users.txt for which you want to perform the AS-REP Roast or the above method in which Impacket-GetNPUsers enumerate users after authentication.

Using Rubeus

Using this tool from domain joined windows host

rubeus.exe asreprost /nowwrap

Crack the Collected Hash

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

We can also use custom rule or any other suitable wordlist.



02. TGS-REPRoasting Or Kerberoasting

When client requests service tickets to DC in order to access resource hosted by SPN, No ckecks are performed on DC to provide service ticket are encrypted using SPN's password hash. We get the ticket & bruteforce the password hash hence it is called Kerberosting.

Gear Up (Prereqs)

we need below information in order to perform this attack

  • User access i.e. User:Password/NT Password Hash Or Kerberos Ticket.
  • Domain Controller IP

Using Kali Linux

This command will be used when launching the attack from kali linux(Non Domain Joined host)

sudo impacket-getuserSPNs -request -dc-ip $IP domain.com/user -save -outputfile User_spn

Using Rubeus

Using this tool from domain joined windows host

rubeus.exe kerberost /outfile:hasehs.kerberost

Crack The Collected hash

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

We can also use custom rule or any other suitable wordlist.



03. Pass The Key/ Overpass The Hash

Obtain a valid Kerberos TGT by using a user's NT hash (or Kerberos key) instead of their plaintext password.

Overpass-the-Hash (Pass-the-Key) is a Kerberos attack where an attacker uses a compromised NT hash (or Kerberos key) to request a legitimate TGT from the KDC without knowing the user's plaintext password.

From Kali machine

Using NT hash

impacket-getTGT -hashes :NTHASH DOMAIN/USER@HOST

Using AES Key

impacket-getTGT -aesKey AESKey DOMAIN/USER@HOST

From Windows machine

.\Rubeus asktgt /domain:DOMAIN /user:USER /enctype:ENCTYPE /aes256:AESKEY /nowrap /ptt

The AS-REP is not the attack target (except in AS-REP Roasting). Its primary purpose is to deliver a valid TGT and session key. Once an attacker has a legitimate or forged TGT, they can request service tickets, perform Pass-the-Ticket, or use the TGT as the foundation for subsequent Kerberos-based attacks.

How to get the hases ???


04. Pass The Ticket

Pass-the-Ticket is a post-compromise Kerberos technique in which an attacker imports or reuses an existing Kerberos ticket obtained from a compromised system or user session. Such as obtained from OverPassTheHash