88 Kerberoasting

Kerberos refresher

Kerberos is a [placeholder, explain TGS/TGT]

Standard Kerberoasting

Kerberoasting allows us, as any domain user, to request a ticket from the TGS for any domain user that is also a service account. Since said tickets are encrypted with the NTLM hash of said other users plaintext password

AS_REP Kerberoasting

ASP _REP kerberoasting makes it possible to send a TGT request in a client's name if said client has the DO_NOT_PREAUTH setting activated (usually poorly configured service accounts). Since the AS_REP will be encrypted with the hash of the client's password, it allows us to crack it offline . That requires a user account with the aforementionned DO_NOT_PREAUTH setting activated .

Assuming we have a list of domain users (obtained as an example with rpclient enumeration), we can use scripts to send an AS_REQ with no PRE_AUTH in the name of said users. Looks like this :

[screenshot placeholder for GetNPusers.py]

Please note that AS-REP hashes need a small edit to be crackable with hashcat ; a "23" needs to be added between the hash type and the username !