AS-REP Roasting

AS-REP roasting is a technique that allows retrieving password hashes for users that have the Do not require Kerberos preauthentication property selected:

Those hashes can then be cracked offline, similarly to how it's done in T1208: Kerberoasting.

Execution and cracking process

Gather AS-REP hashes using Rubeus

Run Rubeus to request AS-REP hashes for accounts without Kerberos preauthentication:

Rubeus (Windows)

Example output screenshot:

Prepare the hash for Hashcat and crack it

Example AS-REP hash returned:

raw AS-REP hash

Insert 23 after $krb5asrep$ to match Hashcat's expected format (for AES-256-CTS-HMAC-SHA1-96):

formatted for Hashcat

Crack with Hashcat (example using mask/wordlist attack):

Hashcat (Kali/Linux)

Example screenshots of successful cracking:

References

@xpn - Kerberos AD Attacks - More Roasting with AS-REP

PreviousKerberos: Silver Tickets NextKerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled

Last updated 2 months ago

hashtagGather AS-REP hashes using Rubeus

hashtagPrepare the hash for Hashcat and crack it

Gather AS-REP hashes using Rubeus

Prepare the hash for Hashcat and crack it