After reading harmj0y blog post about “Roasting AS-REPs”, I have decided to update the
Dump-User.ps1 script in order for it to report on users that don’t have Kerberos pre-authentication enabled. Running the updated version against a “in the wild” target yielded interesting results to say the least.
While I can’t post the results from the “in the wild” domain, I can say that one domain administrator account was vulnerable and it was possible to successfully retrieve the hash for cracking using harmj0y script.
In any case, follows an example result file from my test environment where I have disabled the Kerberos pre-authentication for the domain administrator.
The scripts can be found in the project page. Cheers ;)