search

Active Directory Authentication

hashtag
AS-REP roasting (get TGT / password if lucky)

Gets you TGT, Combo with Kerbrute, also sending AS-REQ is the first step of authentication via Kerberos.

Kerberoasting typically requires credentials to run the attack. There is an option for an account to have the property “Do not require Kerberos preauthentication” or UF_DONT_REQUIRE_PREAUTH set to true.

Check it flag is set to true:

Get-DomainUser -PreauthNotRequired

You can get the usernames for example with enumeration users through RPC.

circle-info

Windows alternative: Rubeus

Without password:

impacket-GetNPUsers -no-pass -dc-ip <DC_IP> <domain/user>

With password:

impacket-GetNPUsers -dc-ip <IP>  -request -outputfile hashes.asreproast <DOMAIN>/<USER>

After that attack you can crack the hash using hashcat.

circle-info

Identifier can differ - visit example_hashes: https://hashcat.net/wiki/doku.php?id=example_hashesarrow-up-right

hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

hashtag
Kerbrute (User enumeration & Password spray)

You can brute force users from Kerberos in order to get usernames. Remember to try searching for usernames on other ports.

In order to get the passwords you can use AS-AEP roasting or use usernames as passwords.

Tool link: https://github.com/ropnop/kerbrutearrow-up-right

Password spraying:

circle-info

If you receive a network error, make sure that the encoding of password with usernames is ANSI.

hashtag
Kerberoasting

If you will get KRB_AP_ERR_SKEW error -> synchronize Kali's time to the machine.

This is how this work. We are trying to get TGS with server's account hash in order to crack it and gain control over domain controller.

Kerberoasting

Once you have admin/standard user access, look for the supported SPNs and get TGS ticket for the SPN using GetUserSPNs tool from Impacketarrow-up-right.

Copy

Now once you have the TGS hash, all we need to do is to feed the hash to Hashcat arrow-up-righttool to fetch Server’s user.

Copy

hashtag
Silver ticket

circle-info

Patched by Microsoft in October 2022.

We can forge our own tickets to access the resource with any permissions we desire (If users hash is used to create service tickets for it).

In order to create silver ticket we need:

SPN password hash (NTLM)

Mimikatz way (if the service is on the same machine):

Domain SID

Get Domain SID without the last part:

S-1-5-21-1987371270-658605905-1781884369-1102

Target SPN

URL in case of web application.

Command:

Check if the ticket is in memory:

Example check of HTTP service:

hashtag
Domain Controller Synchronization

Forge a rogue update request to a domain controller from a user with certein rights.

Required permission: Replicating Directory Changes, Replicating Directory Changes All, Replicating Directory Changes in Filtered Set.

By default Domain Admins, Enterprise Admins, and Administrators groups have these rights assigned.

We can request for any user in the domain using:

Mimikatz

Secretsdump

hashtag
Golden Ticket

Access to all resources in the entire domain.

Kerberos uses hash of krbtgt account to encrypt TGT. If we takeover this account / hash we are able to create our own custom TGTs.

Dump hashes from LSA:

Delete existing kerberos tickets:

Get domain SID:

Get Domain SID without the last part:

S-1-5-21-1987371270-658605905-1781884369-1102

Create golden ticket:

Run cmd:

hashtag
Shadow Copies

If we are domain admins we can extract NTDS.dit - AD database file.

Shadow copy is a microsoft backup technology. It uses vshadow.exe.

Create snapshot:

Once the snapshot has been taken successfully, we should take note of the shadow copy device name.

Copy AD database:

Extract database:

Move these two files to a kali machine and perform secretsdump:

This results in getting every hash in AD.

PreviousAutomated Information GatheringNextLateral Movement

Last updated