ASREP-R Roasting
If we can identify valid usernames on the domain (using Kerbrute, for an example), we can try to determine if some users are vulnerable to AS-REP Roasting. Sometimes, PreAuthentication
is not required, this is not very common, but possible. If PreAuthentication is not required, it is possible to ask for a TicketGrantTicket as the user without any pre-authentication.
AS-REP Roasting can be done from Linux or from a domain-joined Windows machine.
Enumeration
List all users with DONT_REQ_PREAUTH
setting enabled.
If we have GenericWrite
or GenericAll
enabled on a domain account, we can set the DONT_REQ_PREAUTH setting to that account and then request a TGT for that user.
If we get hashes, we can crack it using john or hashcat. See hashcat section.
Once the hash is cracked, we can try to log in using evil-winrm
or psexec.py
to gain a foothold on the target system.
Rubeus
Locally from the target system, we can perform ASPREP-R with the following commands:
Last updated