The Hacker Recipes
GitHubTwitterExegolTools
Searchโ€ฆ
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
NTLM
Kerberos
Pre-auth bruteforce
Pass the key
Overpass the hash
Pass the ticket
Pass the cache
Forged tickets
ASREQroast
ASREProast
Kerberoast
Delegations
Shadow Credentials
UnPAC the hash
Pass the Certificate
sAMAccountName spoofing
SPN-jacking
DACL abuse
Group policies
๐Ÿ› ๏ธ Trusts
Built-ins & settings
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
๐Ÿ› ๏ธ Physical
Locks
Networking
Machines
Super secret zones
๐Ÿ› ๏ธ Intelligence gathering
CYBINT
OSINT
GEOINT
๐Ÿ› ๏ธ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
๐Ÿ› ๏ธ mobile apps
Android
iOS
Powered By GitBook
ASREQroast

Theory

The Kerberos authentication protocol works with tickets in order to grant access. A ST (Service Ticket) can be obtained by presenting a TGT (Ticket Granting Ticket). That prior TGT can be obtained by validating a first step named "pre-authentication" (except if that requirement is explicitly removed for some accounts, making them vulnerable to ASREProast).
The pre-authentication requires the requesting user to supply its secret key (DES, RC4, AES128 or AES256) derived from the user password. Technically, when asking the KDC (Key Distribution Center) for a TGT (Ticket Granting Ticket), the requesting user needs to validate pre-authentication by sending a timestamp encrypted with it's own credentials in an AS_REQ message. It ensures the user is requesting a TGT for himself. When attackers obtain a man-in-the-middle position, they are sometimes able to capture pre-authentication messages, including the encrypted timestamps. Attackers can try to crack those encrypted timestamps to retrieve the user's password.
This technique is similar to ASREProasting but doesn't rely on a misconfiguration. It relies instead on an attacker successfully obtain a powerful enough man-in-the-middle position (i.e. ARP poisoning, ICMP redirect, DHCPv6 spoofing).
This technique can be categorized as a plaintext protocol credential dumping technique.

Practice

Once network traffic is hijacked and goes through an attacker-controlled equipement, valuable information can searched through captured (with tcpdump, tshark or wireshark) or through live traffic.
โ€‹PCredz (Python) is a good example and allows extraction of credit card numbers, NTLM (DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
# extract credentials from a pcap file
Pcredz -f "file-to-parse.pcap"
โ€‹
# extract credentials from all pcap files in a folder
Pcredz -d "/path/to/pcaps/"
โ€‹
# extract credentials from a live packet capture on a network interface
Pcredz -i $INTERFACE -v
Captured encrypted timestamps can then be cracked with hashcat (C), mode 7500.

Resources

dumpco.re - asreqroast
Previous
MS14-068
Next
ASREProast
Last modified 10mo ago
Copy link
On this page
Theory
Practice
Resources