AS-REP Roasting

AS-REP Roasting is a technique that allows an attacker to retrieve password hashes for Active Directory users whose account settings are configured to "Do not require Kerberos pre-authentication". This allows the attacker to request an AS-REP (Authentication Service Response) for these users and obtain a ticket that can be cracked offline.

Step 1: Enumerate Users

First, enumerate the users in the domain. This can typically be done using various enumeration techniques, such as gathering a list of users via LDAP or other methods.

Step 2: Retrieve AS-REP Ticket

After gathering the user list, you can use the GetNPUsers.py script from Impacket to request AS-REP tickets for users who do not require pre-authentication.

To output the result in John the Ripper format:

python3.9 /opt/impacket/examples/GetNPUsers.py -format john -dc-ip <DC_IP> <DOMAIN>/ -usersfile /tmp/users.txt

To output the result in Hashcat format:

python3.9 /opt/impacket/examples/GetNPUsers.py -format hashcat -dc-ip <DC_IP> <DOMAIN>/ -usersfile /tmp/users.txt

Step 3: Crack the AS-REP Ticket

After obtaining the ticket, you can use a tool like John the Ripper or Hashcat to crack the AS-REP ticket hash and retrieve the user's password.

PreviousKerberoasting NextTools

Last updated 7 months ago