AS-REP hash extraction for ASREProastable accounts

[StrongWind1]

What problem does this solve?

When userenum discovers an ASREProastable account (pre-authentication not required), the KDC returns an AS-REP containing encrypted data that can be cracked offline with hashcat ($krb5asrep$23$). CredWolf currently flags these accounts in the output but discards the AS-REP response. Operators must then re-run a separate tool (e.g. GetNPUsers.py) to actually extract the hash, adding an extra step to the workflow.

Proposed solution

Add a --asrep-out <file> flag to the userenum subcommand. When set, any AS-REP response received for an ASREProastable account would be parsed and the encrypted part written in hashcat-compatible format:

$krb5asrep$23$user@REALM:salt$encrypted_data

The hash file can then be fed directly to hashcat -m 18200.

Implementation notes:

• The AS-REP is already received and decoded in _get_salts() and enumerate_user() — the response bytes are available, just not saved
• Extract the cipher and encrypted part from the AS-REP's enc-part field
• Format according to hashcat's $krb5asrep$ specification
• Write one hash per line, appending to the output file

Alternatives considered

• Impacket's GetNPUsers.py — works but requires a separate tool invocation after enumeration
• Saving raw AS-REP bytes to a file — less useful since operators want hashcat-ready format