Main Content

Kerberos PreAuthentication and Party Tricks

Back in 2016, Geoffrey Janjua of Exumbra Operations Group, presented at LayerOne about “Kerberos Party Tricks” and abusing user accounts which have Kerberos Pre-authentication disabled.

The python script he released at the time was a great proof-of-concept, but there are alternative tools available now for detecting, and exploiting, this issue.

Firstly, what is the issue? In short, it allows for username enumeration and offline password guessing of Windows Domain Users, so it can be useful on a Penetration Test if it’s available.

The vulnerability occurs when the “Do Not Require Pre-authentication” box is ticked within Users and Computers, as here:

This box is not ticked by default, but doesn’t give any kind of security prompt when it is ticked. If you’d like to determine if any of your user accounts are ticked, it’s likely that the fastest way to check is running the following powershell:

get-aduser -filter * -properties DoesNotRequirePreAuth | where {$._DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name 

The above script will check each user account to see which accounts are both enabled and have PreAuth disabled. Giving you just a list of usernames. Useful if you’re an Admin, but not so much during a PenTest – so I’ll cover detection and exploitation next!

Whilst you could use the original Python script which I mentioned earlier (which is available here: http://www.exumbraops.com/layerone2016/party), being a proof-of-concept, it’s not the best.

harmj0y, wrote an alternative in ASREPRoast (here: https://github.com/HarmJ0y/ASREPRoast), although that’s now deprecated in favour of Rubeus (here: https://github.com/GhostPack/Rubeus)

To use Rubeus you’ll have to compile it into an EXE (Visual Studio Community can do that). You can then run the following to dump a hash:

Rubeus.exe asreproast /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER]

For example:

You can see here Rubeus connects to the Domain Controller without preauth (with a AS-REQ), thereby capturing an AS-REP and presenting you a John the Ripper compatible hash. The steps that Rubeus takes here will not increment the lockout number for the account, and therefore won’t cause the account to lock if a lockout policy is set.

Presuming you’ve got a fairly recent version of MagnumReaper from: https://github.com/magnumripper/JohnTheRipper.git. Then you can crack these hashes with:

john --format=krb5asrep foo.hash

Like this: