Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Kerberoasting without pre-authentication and ST request through AS-REQ #1413

Merged
merged 10 commits into from
Oct 4, 2023

Conversation

ShutdownRepo
Copy link
Contributor

@ShutdownRepo ShutdownRepo commented Sep 28, 2022

@0xe7 published some research on how Service Tickets can be requested through AS-REQs. This, among other things, allows for Kerberoasting attacks through an unauthenticated position by relying on a user configured without pre-authentication.

The "Kerberoasting without pre-authentication" process goes as follows:

  1. user = a user that doesn't require pre-authentication
  2. service = target service (defined by its name or spn) to kerberoast
  3. AS-REQ, without pre-auth, as "user", to obtain a ticket for service
  4. Ticket obtained can't be used but relevant information can be extracted for cracking attempt to recover the password/NT hash for service

I also modified getTGT.py and the kerberosv5.py lib to allow getTGT to be used to request service tickets.

The Hacker Recipes : https://www.thehacker.recipes/ad/movement/kerberos/kerberoast#kerberoast-w-o-pre-authentication

image

@ShutdownRepo
Copy link
Contributor Author

In this implementation, -no-preauth requires the -usersfile argument linking to a file containing sAMAccountNames or SPNs of accounts to Kerberoast. If the -usersfile argument isn't supplied, the script will attempt an LDAP query, but the creds supplied in the command-line will be invalid and an error will be raised. Switching this PR to draft while I (or someone else) implements a quick check making sure -usersfile is supplied when -no-preauth is used.

@ShutdownRepo ShutdownRepo marked this pull request as draft October 1, 2022 11:52
@ShutdownRepo ShutdownRepo marked this pull request as ready for review October 10, 2022 09:23
@anadrianmanrique anadrianmanrique added in review This issue or pull request is being analyzed low Low priority item labels Feb 16, 2023
@ShutdownRepo
Copy link
Contributor Author

@anadrianmanrique any news here?

@anadrianmanrique anadrianmanrique added medium Medium priority item and removed low Low priority item labels Sep 21, 2023
@anadrianmanrique anadrianmanrique self-assigned this Sep 21, 2023
@anadrianmanrique
Copy link
Contributor

Hello, this seems to be a nice improvement for kerbroasting!
In the meanwhile, both GetUserSPNs.py and kerberosv5.py need to be rebased. After that, I'll be able to start code reviewing/testing it.

@ShutdownRepo
Copy link
Contributor Author

Hello, this seems to be a nice improvement for kerbroasting! In the meanwhile, both GetUserSPNs.py and kerberosv5.py need to be rebased. After that, I'll be able to start code reviewing/testing it.

should be good to go now

@anadrianmanrique
Copy link
Contributor

test are failing:
./impacket/krb5/kerberosv5.py:127:32: F821 undefined name 'service' serverName = Principal(service, type=constants.PrincipalNameType.NT_PRINCIPAL.value) ^ 1 F821 undefined name 'service'

@ShutdownRepo
Copy link
Contributor Author

test are failing: ./impacket/krb5/kerberosv5.py:127:32: F821 undefined name 'service' serverName = Principal(service, type=constants.PrincipalNameType.NT_PRINCIPAL.value) ^ 1 F821 undefined name 'service'

my bad... fixed now, pipeline ends successfully

@anadrianmanrique anadrianmanrique removed the in review This issue or pull request is being analyzed label Sep 23, 2023
@anadrianmanrique
Copy link
Contributor

Have you summited any changes? I've been requested to review changes but I don't see any new

@ShutdownRepo
Copy link
Contributor Author

Have you summited any changes? I've been requested to review changes but I don't see any new

Indeed, the changes were not pushed for some reason, probably a layer 8 issue
Pushed c31f771 now

@anadrianmanrique
Copy link
Contributor

Have you summited any changes? I've been requested to review changes but I don't see any new

Indeed, the changes were not pushed for some reason, probably a layer 8 issue Pushed c31f771 now

no worries, I'll start the testing process

@anadrianmanrique anadrianmanrique merged commit c3ff33b into fortra:master Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
medium Medium priority item
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants