# ASREPRoast

ASREPRoast is about retrieving crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled. This isn’t as useful as Kerberoasting, as accounts have to have [DONT\_REQ\_PREAUTH](https://support.microsoft.com/en-us/kb/305144) explicitly set for them to be vulnerable and you’re still reliant upon weak password complexity for the attack to work. But who knows, might be the only weak point you need.

Before we dive in the attack you should probably read this :

{% embed url="<https://www.tarlogic.com/en/blog/how-kerberos-works/>" %}

Now, if you can enumerate accounts in a Windows domain that don’t require Kerberos preauthentication, you can easily request a piece of encrypted information for said accounts and efficiently crack the material offline, revealing the user’s password. To do that you need to :

1- send the **KRB\_AS\_REQ** to get the **KRB\_AS\_REP** with the encrypted information, to do so  :

* If you have username

```
GetNPUser.py domain/username -no-pass -dc-ip <ip> -request
```

* If you don't have a username you can try&#x20;

```
GetNPUser.py domain/ -no-pass -dc-ip <ip> -request
```

You should receive something like :&#x20;

![AS-REP](https://782540430-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LzBjY2lU8TBX2McCswT%2F-M4k-I1pVJxTZS3CCVQK%2F-M4kIRBuiC7KMm81mGFe%2Fimage.png?alt=media\&token=cadcd3fb-cf3d-4f08-970b-42dd66bbda0a)

proceed to offline cracking by doing :&#x20;

```
hashcat -m 18200 ticket wordlist
```

**PS:** This attack could be used in a post-compromise scenario but also in the initial attack vectors ;)&#x20;

As this cheat sheet is not intended for a full detailed explanation but merely a refresh of what's available and mostly to rapidly find the right commands, i suggest you read more about the attack here :

{% embed url="<https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/asreproast.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.