Authentication Attacks
We will cover Active directory basics some important terminology and some major authentication mechanisms,
Attacks On Kerberos Authentication
Below Diagram displays the Kerberos Authentication flow and the attaks that can be performed on different stages.
01. AS-REP Roasting
If Do not require Kerberos preauthentication (DONT_REQ_PREAUTH) for a user is enabled, then AD does not validate the encrypted timestamp and skips the preauthentication, and sends AS-REP to the request, The TGT (AS-REP response) is encrypted with the user’s NTLM hash (derived from their password).
Since an attacker can get this encrypted blob without authentication, it can be brute-forced offline.
Gear Up (Prereqs)
- Domain Controllers IP
- User:Pass for authentication
Using Impacket-GetNPUsers
This command will be used when launching the attack from the kali linux machine
impacket-GetNPUsers -dc-ip <DC-IP> -request -outputfile hashes.asreproast domain.com/user
user is the username which you have credential to, For this attack you have 2 options either you can pass the list of user name -usersfile users.txt for which you want to perform the AS-REP Roast or the above method in which Impacket-GetNPUsers enumerate users after authentication.
Using Rubeus
Using this tool from domain joined windows host
rubeus.exe asreprost /nowwrap
Crack the Collected Hash
sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
We can also use custom rule or any other suitable wordlist.
02. TGS-REPRoasting Or Kerberoasting
When client requests service tickets to DC in order to access resource hosted by SPN, No ckecks are performed on DC to provide service ticket are encrypted using SPN's password hash. We get the ticket & bruteforce the password hash hence it is called Kerberosting.
Gear Up (Prereqs)
we need below information in order to perform this attack
- User access i.e. User:Password/NT Password Hash Or Kerberos Ticket.
- Domain Controller IP
Using Kali Linux
This command will be used when launching the attack from kali linux(Non Domain Joined host)
sudo impacket-getuserSPNs -request -dc-ip $IP domain.com/user -save -outputfile User_spn
Using Rubeus
Using this tool from domain joined windows host
rubeus.exe kerberost /outfile:hasehs.kerberost
Crack The Collected hash
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
We can also use custom rule or any other suitable wordlist.
03. Pass The Key/ Overpass The Hash
Obtain a valid Kerberos TGT by using a user's NT hash (or Kerberos key) instead of their plaintext password.
Overpass-the-Hash (Pass-the-Key) is a Kerberos attack where an attacker uses a compromised NT hash (or Kerberos key) to request a legitimate TGT from the KDC without knowing the user's plaintext password.
From Kali machine
Using NT hash
impacket-getTGT -hashes :NTHASH DOMAIN/USER@HOST
Using AES Key
impacket-getTGT -aesKey AESKey DOMAIN/USER@HOST
From Windows machine
.\Rubeus asktgt /domain:DOMAIN /user:USER /enctype:ENCTYPE /aes256:AESKEY /nowrap /ptt
The AS-REP is not the attack target (except in AS-REP Roasting). Its primary purpose is to deliver a valid TGT and session key. Once an attacker has a legitimate or forged TGT, they can request service tickets, perform Pass-the-Ticket, or use the TGT as the foundation for subsequent Kerberos-based attacks.
How to get the hases ???
04. Pass The Ticket
Pass-the-Ticket is a post-compromise Kerberos technique in which an attacker imports or reuses an existing Kerberos ticket obtained from a compromised system or user session. Such as obtained from OverPassTheHash