PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Find Users that don't use Pre-Authentication and fetch TGT
  • Crack the TGT hash using John
  1. Active Directory Pentest
  2. Domain Privilege Escalation
  3. Kerberoast

AS-REP Roast (Kerberoasting)

The AS-REP Roasting attack, also known as Kerberoasting, is a type of attack that targets the Kerberos authentication protocol, commonly used in Active Directory environments. The attack allows an attacker to extract encrypted Kerberos Ticket Granting Ticket (TGT) for user accounts with Kerberos pre-authentication disabled, which includes service accounts. The goal is to extract these TGTs and attempt to crack the password offline to gain unauthorized access to the user's account.

Here's how the attack works:

  1. Kerberos Authentication: In a Windows Active Directory environment, users and services authenticate using the Kerberos protocol. When a user logs in, their credentials are sent to the Key Distribution Center (KDC), and they receive a TGT, which serves as a ticket to request service tickets to access various resources within the network.

  2. Pre-Authentication: By default, user accounts in Active Directory use pre-authentication. In this process, the user's password is encrypted with a timestamp and sent to the KDC. The KDC verifies the password's correctness before issuing the TGT. If pre-authentication is disabled for an account, the password is not validated during the initial TGT request.

  3. AS-REP Roasting Attack: An attacker can use the Kerberoasting attack when pre-authentication is disabled for a user account. The attacker requests a TGT for a specific user account from the KDC without providing the pre-authentication data. The KDC responds with the encrypted TGT.

  4. Offline Cracking: Once the attacker obtains the encrypted TGT, they can now perform an offline brute-force attack to crack the user's password. Since the TGT is encrypted with the user's password hash, the attacker can use various password-cracking tools and techniques to try to recover the plaintext password.

  5. Privilege Escalation: If the attacker successfully cracks the password, they can now impersonate the user and access resources and services within the network to which the user has permissions.

Find Users that don't use Pre-Authentication and fetch TGT

impacket-GetNPUsers -request -dc-ip 10.10.10.161 htb.local/

# OR, If we know the username:
impacket-GetNPUsers -dc-ip 10.10.10.161 htb.local/svc-alfresco -no-pass

Crack the TGT hash using John

john hash --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt
PreviousKerberoastNextCRTP Lab 14

Last updated 10 months ago