fix(variant): use crackable dictionary passwords for Kerberoastable/A…#153
Draft
mkultraWasHere wants to merge 5 commits intomainfrom
Draft
fix(variant): use crackable dictionary passwords for Kerberoastable/A…#153mkultraWasHere wants to merge 5 commits intomainfrom
mkultraWasHere wants to merge 5 commits intomainfrom
Conversation
…S-REP users The variant generator was replacing ALL passwords with random complex strings, making Kerberoastable (SPN) and AS-REP roastable user passwords uncrackable with standard wordlists. This broke the attack path for engagements relying on hashcat/john dictionary attacks. - Add GenerateCrackablePassword() using a rockyou-derived wordlist - Add findCrackablePasswords() to detect SPN and AS-REP roast targets - Add parseASREPScripts() to extract users from asrep*.ps1 scripts - Fix 4 broken passwords in variant-1 (sansa.stark, jon.snow, brandon.stark, missandei mapped users) Co-Authored-By: Claude <noreply@anthropic.com>
dreadnode-renovate-bot
Bot
added
the
area/ad-labs
There was a problem hiding this comment.
Pull request overview
This PR adjusts the variant generator so Kerberoastable (SPN) and AS-REP roastable users get dictionary-crackable passwords (instead of fully random complex strings), making those targets realistically crackable with standard wordlists during engagements.
Changes:
- Added a rockyou-style crackable password generator (
GenerateCrackablePassword) and associated wordlist. - Added detection of roastable accounts (
findCrackablePasswords) using SPNs andasrep*.ps1script parsing. - Updated password mapping to branch between crackable vs complex generation and tagged console output; updated Variant-1 config/mapping outputs accordingly.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| cli/internal/variant/namegen.go | Adds crackable password wordlist and generator method. |
| cli/internal/variant/namegen_test.go | Adds a unit test for crackable password selection/variety. |
| cli/internal/variant/generator.go | Detects roastable users (SPN/AS-REP scripts) and maps their passwords to dictionary values. |
| ad/GOAD-variant-1/mapping.json | Updates example/generated mapping outputs to reflect crackable passwords for roast targets. |
| ad/GOAD-variant-1/data/config.json | Updates example/generated variant config with crackable passwords for roast targets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Warn when no asrep*.ps1 scripts are found or unreadable so missing crackable passwords are visible during generation - Add TestFindCrackablePasswords covering SPN, AS-REP, and preserved-user (sql_svc) password classification - Fix crackablePasswords wordlist count (55 → 56) Co-Authored-By: Claude <noreply@anthropic.com>
- SSMTransport now raises ConnectionError with actionable messages instead of silently returning None on auth/connectivity failures - Add --restart flag to delete existing report file before launching - Fix poll countdown always showing 0s by recording time after fetch - Sanitize report_path with shlex.quote to prevent command injection - Truncate instance ID to last 5 chars in CLI and footer display - Add delete_report() to Transport interface Co-Authored-By: Claude <noreply@anthropic.com>
… poll timer" This reverts commit b1ec612.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The preservedUsers guard was present in the SPN/Kerberoastable loop but missing from the AS-REP roasting loop, allowing a preserved account like sql_svc to get a crackable password if referenced by an asrep*.ps1 script. Test updated to cover both paths. Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Crackable passwords for Kerberoastable and AS-REP roastable variant users
The variant generator was replacing every password with a random complex string, making SPN and AS-REP roast targets uncrackable with standard wordlists during engagements.
Added
GenerateCrackablePassword()innamegen.go— picks from a 56-entry rockyou-derived wordlist so passwords crack with a straight dictionary attack (no rules)findCrackablePasswords()ingenerator.go— detects users with SPNs (Kerberoastable) and users referenced inasrep*.ps1scripts (AS-REP roastable), skippingsql_svcwhich is intentionally uncrackableparseASREPScripts()ingenerator.go— extracts-Identity "username"from AS-REP roasting PowerShell scriptsTestGenerateCrackablePasswordcovering wordlist membership and output varietyChanged
mapPasswords()now branches betweenGenerateCrackablePassword()andGeneratePassword()based on whether the original password belongs to a roastable user(crackable)for visibility during generationFixed
ryan.myers(Kerberoast),christine.martin(Kerberoast),alexander.peterson(AS-REP),susan.white(AS-REP) now have rockyou-crackable passwords in bothconfig.jsonand `mapping.json