Skip to main content
Dr.Dolorem security

·178 words·1 min

AS-REP
#

This action requires GenericWrite or GenericAll privileges on the user object.

In order to execute this attack, the user must have “Pre-Authentication not required”, therefore allowing us to send requests as it and grabbing the user hash from the received reply.
It’s very rare to find this parameter not set as default in production environments, but it’s worth a try to look for it.

{% code title=“PowerShell AD Module” %}

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

{% endcode %}

If no users has this parameter disabled, with enough rights, we can disable it for them.
This can be seen as an evasion technique, because as opposed to resetting the user password, this could be less suspicious since it doesn’t interrupt business continuity for the user.

Disable the requirement for Kerberos Pre-Auth.

Get-ADUser <SamAccountName> | Set-ADAccountControl -DoesNotRequirePreAuth $true

Now we can proceed to make a AS-REQ and dump the AS-REP to try to get user credentials.

Get-ASREPHash <UserName> -Verbose

{% hint style=“info” %} Have a look at the Set AD Account options
https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adaccountcontrol?view=windowsserver2022-ps {% endhint %}