After reading harmj0y blog post about “Roasting AS-REPs”, I have decided to update the
Dump-User.ps1 script in order for it to report on users that don’t have Kerberos preauthenticaton enabled. Running the updated version against a “in the wild” target yelded interesting results to say the least.
While I can’t post the results from the “in the wild” domain, I can say that one domain administrator account was vulnerable and it was possible to successfuly retrieve the hash for cracking using harmj0y script.
In any case, follows an example result file from my test environment where I have disabled the Kerberos preauthenticaton for the domain administrator.
The scripts can be found in the project page. Cheers ;)