Skip to content

Kerberos asreproast command

Jump to bottom
skelsec edited this page Apr 15, 2021 · 6 revisions

What it does

Performs the asreproast attack against a list of target usernames.

Remarks

The list of users can be in a file (one username per line) or can be set in a command line argument (at the end of the command). You may even mix the two.
Important: The expected format is <user>@<realm> but you don't need to specify the target users using this format if you with, just the username is enough IF you also supply the -d <realm> switch.

Requirements

You will need the following things:

  • IP/Hostname of the Kerberos server (the domain controller)
  • The Realm eg. domain name
  • A list of usernames (prone to the asreproast attack)
  • Instead of targets and realm you can use LDAP connection string to load the targets automatically

Subcommands

None

Switches

  • -o: Writes the result tickets to a file, hashcat format
  • -e: Specifies which encryption type should be requested. Default is RC4 (23)
  • -d: Realm aka domain name, only used when targets are set from file.
  • -t or --targets: Targets to be loaded from file or as SPN string, or just username if -d is set.
  • -l or --ldap: LDAP URL in ConnectionURL format. This will fetch the targets from the DC via LDAP.
  • target: The IP address or hostname of the DC

Examples

  • pypykatz kerberos asreproast 10.10.10.2 asreptest@test.corp: Performs the asreproast attack against user asreptest@test.corp and prints the resulting ticket to the command line in hashcat format
  • pypykatz kerberos asreproast 10.10.10.2 --ldap 'ldap+ntlm-password://TEST\victim:Passw0rd!1@10.10.10.2': Performs the asreproast attack against all vulnerable targets loaded via LDAP

Home

Live commands

Platform-independent commands

ConnectionURL

Clone this wiki locally