Several simple attacks on domain accounts
0x01 Pre-Authentication
It is suitable for enumerating the user names in the domain when it is outside the domain. Using the feature of Kerberos pre-auth, in AS-REP:
If the requesting user exists, the error-code is:ERR-PREAUTH-REQUIRED
If the requested user does not exist, the error-code is:ERR-PRINCIPAL-UNKNOWN
Available tools:
https://github.com/ropnop/kerbrute
https://github.com/3gstudent/pyKerbrute
After obtaining a valid user name in the domain, you can use password spraying to get valid credentials and start the next step.
Of course, password spraying needs to check the locking policy of the corresponding domain
0x02 AS-REP Roasting
If the user has enabled it “不使用Kerberos预认证”, in the AS-REP stage, you can request the user’s TGT on any machine that can access the DC (both inside and outside the domain). At this time, the DC will return the TGT and Session Key without verifying, then The Session Key (encrypted by the user's RC4-HMAC password) can be brute-forced offline to obtain the hash and password plaintext.
By default this is disabled
Traverse to enable this property
Enabling this property requires the GenericWrite permission
-
Use LDAP to query
(userAccountControl:1.2.840.113556.1.4.803:=4194304)users that meet the conditions. -
PowerView:
Import-Module .\PowerView.ps1
Get-DomainUser -PreauthNotRequired -Verbose
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
request ticket
Import-Module .\ASREPRoast.ps1
Get-ASREPHash -UserName testuser2 -Domain holy.testA | Out-File -Encoding ASCII hash.txt
impacket
python3 GetNPUsers.py pig.com/duck:test123 -dc-ip 10.0.19.0 -usersfile user.txt -format john -outputfile hash
Then you can use HashCat to crack
0x03 kerberoasting
Because of how Kerberos works, any user can request a TGS for any service that has a registered SPN (HOST or whatever) in a user or computer account within the domain. Note that this ticket is only requested, and access is not granted to the requesting user, as the service ultimately determines whether the user should be granted access to the resource.
Because of this, and because part of the TGS requesting the SPN instance is encrypted with the NTLM hash of the service account's plaintext password, any user can request these TGS tickets and then crack the service account's plaintext password offline without worrying about Account is locked.
Request TGS
You can use GetUserSPNsor mimikatzrequest TGS, and export and use hashcat for offline cracking.
Such as tools in impacket:
python3 GetUserSPNs.py pig.com/duck:test123 -dc-ip 10.0.19.0
If you want to understand the principle, you can capture the packet and view it in detail. So, what is the difference between AS-REP Roasting, kerberoasting, and Pre-Authentication?
Zero-based entry
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Due to limited space, only part of the information is shown, you need to click the link below to get it
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing
Video supporting materials & domestic and foreign network security books, documents & tools
Of course, in addition to the supporting videos, various documents, books, materials & tools have also been sorted out for you, and they have been classified for you.
Due to limited space, only part of the information is shown, you need to click the link below to get it
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing