I think we've been through enough of Kerberos Authentication process when we were talking about Kerberoasting and AS-REP roasting so i will just get into it

when pre-authentication is enabled on an account we need to send AS-REQ to be validated by the KDC and get a TGT one of this AS-REQ message contents is the current timestamp encrypted using the NTLM hash derived from the users password that'll be decrypted by the KDC and if it matches the interval of the timestamp you will get a TGT

if we can get our hands on that encrypted message we can try to crack it and get the user's password

there is nothing we need to get this done rather than good position in the network for MITM and by using PCredz with the pcap files

# extract credentials from a pcap file
Pcredz -f "file-to-parse.pcap"

# extract credentials from all pcap files in a folder
Pcredz -d "/path/to/pcaps/"

# extract credentials from a live packet capture on a network interface
Pcredz -i $INTERFACE -v

and we crack using hashcat 7500 mode

./hashcat -m 7500 as-req.hashes openwall.net-all.txt

Detection and Mitigation

in detection:

• there is nothing to detect the user just listens and if he didn't spoof there is no proof or alerts that he did something wrong

In Mitigation: also nothing to mitigate the attack itself but you can mitigate the possibility of cracking the password by having complex well-rotated passwords

if pre-auth disabled → there is no timestamp encryption and it generates TGT solely based on the username → so you will prevent the AS-REQ but you will be enabling AS-REP

Resources

• https://dumpco.re/blog/asreqroast
• https://www.thehacker.recipes/ad/movement/kerberos/asreqroast