ASREPRoasting
Last updated
Was this helpful?
Last updated
Was this helpful?
ASREPRoasting is an attack on the initial Kerberos authentication step and it is usually performed after obtaining a list of valid domain users.
Preauthentication is a security feature in Kerberos where the client must prove knowledge of their password before the KDC issues a TGT. This is done by encrypting a timestamp with a key derived from the user’s password and sending it to the KDC. If the KDC can decrypt and validate the timestamp, it confirms the user knows their password — protecting against offline brute-force attacks.
If an account has the setting enabled then everyone can request from the DC to authenticate as that account and receive an AS-REP. The AS-REP contains the TGT which is encypted with the account's password hash which can be potentially cracked.
We can enumerate accounts with the preauthentication feature disabled using GetNPUsers or kerbrute.
Then we can ASREPRoast the enumerated accounts using GetNPUsers or nxc.
Finally, we can crack the extracted hashes with hashcat or john.
If we can't find any vulnerable users, but we have GenericWrite or GenericAll on a user object, we can modify that user's UserAccountControl to disable preauthentication and then perform the ASREP roast attack. Don't forget to reset the UserAccountControl after extraction!
We can enumerate accounts with the preauthentication feature disabled using .
Then we can ASREPRoast the enumerated accounts using .
If we successfully crack the hash, we can perform a attack across the network using NetExec. If the compromised user has local administrator privileges on any host, we can then extract cached credentials—such as those stored in —using tools like Mimikatz.
For an example of ASREPRoasting with nxc check .
