AS-REP Roasting
Although rare, once in a while you will find that a user does not require Kerberos Pre-Authentication in order to access a service.
If you discover users with Pre-Auth disabled you can grab their hashes, crack them, and then request tickets if you have the privilges to access particular services.
Steps to AS-REP Roast
Step 1 - Discover AS-REP Roastable Users
From Powershell
Step 2 - Grabbing the User Hashes
From Powershell
Linux
Step 3 - Cracking the Hashes
Note: make sure the hash ETYPE is 23 and not 18, otherwise Hashcat cannot crack it. Also make sure 23 is in the hash like so, otherwise you may have to add it manually before cracking:
If you used kerbrute, you can use the --downgrade option to obtain the ETYPE 23 hash
If You Would Like to Disable Preauth on a User
This can be useful if you have permissions on other users.
Last updated