Listen to this Post
Introduction
Kerberoasting is a well-known attack technique in Active Directory (AD) environments where attackers extract service account credentials by requesting Kerberos service tickets. However, a lesser-known variant—ASREProasting—allows attackers to perform Kerberoasting without valid credentials if an account is configured with “Do not require Kerberos pre-authentication” (DONT_REQ_PREAUTH). This article explores how to exploit ASREProastable accounts using tools like NetExec and mitigate such vulnerabilities.
Learning Objectives
- Understand the difference between Kerberoasting and ASREProasting.
- Learn how to identify ASREProastable accounts in an AD environment.
- Execute an ASREProast attack using NetExec.
- Mitigate ASREProast vulnerabilities in Active Directory.
1. Identifying ASREProastable Accounts
Command (PowerShell):
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth
Step-by-Step Guide:
- Run the command in a domain-joined PowerShell session with AD module access.
2. The output lists accounts with `DoesNotRequirePreAuth` enabled.
3. These accounts are vulnerable to ASREProasting.
2. Requesting Service Tickets Without Credentials
Command (NetExec):
nxc ldap <DOMAIN_CONTROLLER_IP> -u <ASREProastable_USER> --asreproast
Step-by-Step Guide:
1. Install NetExec: `pip install netexec`.
2. Replace `` and `` with target details.
- The tool requests a TGT (Ticket Granting Ticket) without pre-authentication.
- The output provides a hash that can be cracked offline.
3. Cracking the Extracted Hash
Command (Hashcat):
hashcat -m 18200 <ASREP_HASH_FILE> <WORDLIST> --force
Step-by-Step Guide:
- Save the NetExec output to a file (e.g.,
asrep_hashes.txt). - Use Hashcat mode `18200` (Kerberos 5 AS-REP etype 23).
- Replace `
` with a password dictionary (e.g., rockyou.txt).
4. Mitigating ASREProast Vulnerabilities
Command (PowerShell):
Set-ADAccountControl -Identity <USER> -RequiresPreAuth $true
Step-by-Step Guide:
1. Identify vulnerable accounts using the first command.
2. Enforce pre-authentication to block ASREProast attacks.
- Audit all accounts periodically with PowerShell or AD administrative tools.
5. Detecting ASREProast Attempts
Command (Windows Event Log):
Event ID: 4768 (Kerberos Authentication Service) Filter for: "Pre-Authentication Type: NULL"
Step-by-Step Guide:
- Monitor Domain Controller logs for
Event ID 4768.
2. Filter for events with `Pre-Authentication Type: NULL`.
- Investigate repeated NULL pre-auth attempts as potential exploitation.
What Undercode Say
- Key Takeaway 1: ASREProasting is a stealthy attack requiring no credentials, making it dangerous in poorly configured AD environments.
- Key Takeaway 2: While rare in real-world engagements, ASREProastable accounts still exist—especially in legacy systems.
Analysis:
The technique highlighted by Alexander Neff demonstrates how misconfigured Kerberos settings can lead to credential compromise. Defenders must prioritize auditing `DONT_REQ_PREAUTH` flags and enforcing pre-authentication. Tools like NetExec and Hashcat streamline exploitation, but proactive monitoring (e.g., Event ID 4768) can detect attacks early. As cloud and hybrid AD environments grow, understanding such legacy vulnerabilities becomes critical for red and blue teams alike.
Prediction
With increasing adoption of cloud-based AD services (e.g., Azure AD), traditional Kerberos flaws like ASREProasting may decline. However, legacy on-prem systems will remain vulnerable for years, ensuring this technique stays relevant in penetration testing and red-team exercises. Future AD hardening guides will likely emphasize pre-authentication as a baseline security control.
IT/Security Reporter URL:
Reported By: Alexander Neff – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
