Skip to main content

Overview

Scan for user accounts that do not require Kerberos pre-authentication. Accounts without pre-authentication requirements are vulnerable to AS-REP roasting attacks, allowing offline password cracking.

Syntax

Rubeus.exe preauthscan /users:USERS_FILE [options]

Required Parameters

users
string
required
File containing list of usernames to test

Optional Parameters

domain
string
Target domain (default: current domain)
dc
string
Domain controller to target
proxyurl
string
KDC proxy URL for authentication

Examples

# Scan users from file
Rubeus.exe preauthscan /users:C:\temp\users.txt

# Scan against specific domain
Rubeus.exe preauthscan /users:users.txt /domain:corp.local

# Use specific domain controller
Rubeus.exe preauthscan /users:users.txt /dc:dc01.corp.local

Pre-Authentication Overview

Security Mechanism:
  • Requires proof of password knowledge before TGT issuance
  • Prevents offline password attacks
  • Enabled by default for all accounts
When Disabled:
  • AS-REQ returns encrypted TGT without pre-auth
  • Enables AS-REP roasting attacks
  • Often misconfigured for compatibility

Attack Integration

Vulnerability Identification:
# 1. Scan for vulnerable accounts
Rubeus.exe preauthscan /users:all_users.txt

# 2. Perform AS-REP roasting on vulnerable accounts
Rubeus.exe asreproast /user:vulnerable_user
Workflow Integration:
  • Identify accounts without pre-auth
  • Target them with AS-REP roasting
  • Crack extracted hashes offline
  • Use credentials for further attacks
  • asreproast - Exploit accounts without pre-auth
  • brute - Password attack vulnerable accounts