Technical Resources

The following page is a collection of some of the notes I keep in Obsidian. I use these notes during penetration testing engagements or when needed in challenges for HackTheBox or CTFs.This page will continue to grow as I have time to add to it.

Active Directory

This section covers the following:

  • Active Directory
    • AD penetration testing mindmap
    • Kerberos
      • AS-REP Roast
      • Kerberoasting
      • Targeted Kerberoasting
      • Username Enumeration with Kerberos

 

Active Directory Peneration Testing Mindmap

Orange Cyberdefense published a mindmap that can be followed as an Active Directory penetration testing methodology. This can be found here:

https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg

It is important to note the legend in the bottom left of this mindmap as is shows you the tools to use, what could break stuff, and what is the most common tactic.

Kerberos

AS-REP Roasting

This does not require domain credentials. A list of potential usernames will do!

Why Does AS-REP Roasting Work?

AS-REP Roasting is an exploitation technique that targets the Kerberos protocol. It allows an attacker to retrieve password hashes for users that do not require pre-authentication.

Pre-authentication is an initial stage in Kerberos authentication that prevents brute-force attacks. If a user has “Do not use Kerberos pre-authentication” enabled, an attacker can recover a Kerberos AS-REP encrypted with the user’s RC4-HMAC’d password and attempt to crack this ticket offline.

How to AS-REP Roast!

Check to see if there are any AS-REP roastable accounts:

impacket-GetNPUsers -request -dc-ip <DC-IP> <DOMAIN.TLD>/<USERNAME>

Check the output and see if we get any AS-REP roastable hashes. If there is, move on to trying to crack this with hashcat.

AS-REP Roast Limitations

These hashes are not able to be used for pass the hash, but, they are crackable :)

 

Kerberoasting

You will need valid credentials for a domain user to be able to do this!

Why Does Kerberoasting Work?

In a Kerberoasting attack, the attacker identifies user accounts in the AD domain that have service principal names (SPNs) associated with them, indicating that the user has access to specific network services. The attacker then requests a service ticket for the user account, which contains the user’s hashed password.

The Kerberos protocol uses a ticket-granting ticket (TGT) to authenticate users and grant access to network resources. When a user logs in to a domain, they receive a TGT from the domain controller. The TGT is used to request service tickets for specific network services.

When a user requests a service ticket, the Kerberos protocol generates a session key that is used to encrypt the communication between the user and the service. The session key is encrypted with the user’s hashed password and included in the service ticket.

How to Kerberoast!

Check for user SPNs. This can be done using impacket-GetUserSPNs:

impacket-GetUserSPNs -request -dc-ip <DC-IP> <DOMAIN.TLD>/<USERNAME>

Check to see if there are any TGS tickets in the output. Move on to trying to crack this with hashcat.

Kerberoasting Limitations

These hashes are not able to be used for pass the hash, but, they are crackable :)