<aside> 💡
Installation https://github.com/ropnop/kerbrute/releases
chmod +x /home/kali/Downloads/kerbrute_linux_amd64
mv /home/kali/Downloads/kerbrute_linux_amd64 /home/kali/Downloads/kerbrute
mv /home/kali/Downloads/kerbrute /usr/local/bin/
</aside>
<aside>
💡 To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a KDC_ERR_C_PRINCIPAL_UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.
</aside>
kerbrute userenum userlist.txt --dc DC.fqdn.to.lookup -d domain.fqdn.to.lookup
The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute. That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password (it’s the TGS session key encrypted with user’s secret key).
Then, by using this message, the user password could be cracked offline. Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.
Try all the usernames in usernames.txt:
GetNPUsers.py <domain.local>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
Then crack it using John The Ripper or Hashcat:
john hashes.asreproast --wordlist=/usr/share/wordlists/rockyou.txt
Get the cracked password:
john hashes.asreproast --show