AS-REP Roasting

About The Attack

AS-REP contains session key and TGT which is in response to AS-REQ, if preauthentication is enabled, an attacker could send AS-REQ to the DC on behalf of any user and can get RS-REP from DC if preauth is disabled.

Performing Attack

Gear Up (Prereqs)

Domain Controllers IP
User:Pass for authentication

Using Impacket-GetNPUsers

This command will be used when launching the attack from the kali linux machine

impacket-GetNPUsers -dc-ip <DC-IP> -request -outputfile hashes.asreproast domain.com/Users

Using Rubeus

This command will be used when you have a windows machine in the domain

rubeus.exe asreprost /nowwrap

Crack the Collected Hash

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

We can also use custom rule or any other suitable wordlist.

Further Actions

Below are some of the use cases after successful caracking of the hash

Credential Reuse

Password Spraying --> SMB/RDP/WinRM
LDAP/Kerberos --> Enumerate Further
VPN/Outlook web Access/ Citrix

Privilege Escalation

If the account belongs to :

Domain Admins / Server Operators / Account Operators → instant escalation.
Service Accounts (common) → pivoting into Kerberoasting, Silver Tickets, or lateral movement.
Users with local admin rights → move laterally via SMB/PSExec/WinRM.

Chaining with Other Attacks

From AS-REP → Kerberoasting.

If the account cracked has SPNs, request service tickets and roast them.

From AS-REP → DCSync.

If the cracked account has replication privileges, dump all domain hashes.

From AS-REP → Persistence.

If it’s a privileged service account, create Golden/Silver Tickets for long-term persistence.

About The Attack​

Performing Attack​

Gear Up (Prereqs)​

Using Impacket-GetNPUsers​

Using Rubeus​

Crack the Collected Hash​

Further Actions​

Credential Reuse​

Privilege Escalation​

Chaining with Other Attacks​