ASREPRoast

ASREPRoast is about retrieving crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled. This isn’t as useful as Kerberoasting, as accounts have to have DONT_REQ_PREAUTH explicitly set for them to be vulnerable and you’re still reliant upon weak password complexity for the attack to work. But who knows, might be the only weak point you need.

Before we dive in the attack you should probably read this :

Kerberos (I): How does Kerberos work? - TheoryTarlogic Security

Now, if you can enumerate accounts in a Windows domain that don’t require Kerberos preauthentication, you can easily request a piece of encrypted information for said accounts and efficiently crack the material offline, revealing the user’s password. To do that you need to :

1- send the KRB_AS_REQ to get the KRB_AS_REP with the encrypted information, to do so :

If you have username

GetNPUser.py domain/username -no-pass -dc-ip <ip> -request

If you don't have a username you can try

GetNPUser.py domain/ -no-pass -dc-ip <ip> -request

You should receive something like :

proceed to offline cracking by doing :

hashcat -m 18200 ticket wordlist

PS: This attack could be used in a post-compromise scenario but also in the initial attack vectors ;)

As this cheat sheet is not intended for a full detailed explanation but merely a refresh of what's available and mostly to rapidly find the right commands, i suggest you read more about the attack here :

Roasting AS-REPs - harmj0yharmj0y

PreviousToken impersonation NextKerberoasting

Last updated 4 years ago