ASREP Attacks

I am following @zephrphish and his series entitled “The Path to DA” which you can catch on his zeprhsec YouTube channel here. This week he did a session on Kerberoasting and ASRep. For those of you not familiar with his work I should warn you that the videos are not family friendly and are not suitable for work (at least not without headphones anyway)

At the end of the session he shows how to secure against each type of attack and with ASRep the config is quite simple … just check accounts in ADUC to make sure they don’t have the flag “Do Not Require Kerberos PreAuthentication” set

You can also view this setting using Powershell:

get-aduser -Identity <username> -Properties UserprincipalName, DoesNotRequirePreAuth 

In a larger environment, nobody wants to have to go through thousands of users across multiple domains manually looking at each individual user and as MS have so kindly given us Powershell we might as well use it to make our blue team lives easier.

I through together this little script, I am sure it could be done many other ways, this is my way. This will simply check user objects across all domains in a single forest for that setting and if found it will write the account details out to a CSV.

import-module Activedirectory

$domains=(get-ADforest).domains
$Output = @()
$filepath=" <put your output path in here> "

foreach($Domain in $Domains)
{
    $Output+=get-aduser -Filter {DoesNotRequirePreAuth -eq "True"} -server $Domain -Properties UserprincipalName, DoesNotRequirePreAuth 
}

if ($Output.count -gt 0) {
    $Output | export-csv $filepath
    write-host "Found $($Output.count) - Details written to $Filepath"
} 
else{
    write-host "No Users Found with DoNotRequrePreAuth Set "
}

The logged on user will need read permissions to user objects in all domains.