> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/active-directory/active-directory-attacks/as-rep-roasting.md). # AS-REP Roasting AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication. This is explained in pretty thorough detail in HarmJ0y's post. Pre-Authentication is the first step in Kerberos authentication and is designed to prevent brute-force password guessing attacks. During preauthentication, a user will enter their password which will be used to encrypt a timestamp, and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying previous requests. From there the TGT will be issued for the user to use for future authentication. If preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an encrypted TGT that can be brute-forced offline. **What's the risk?** If we can enumerate accounts in a Windows domain that do not require Kerberos preauthentication, we can now easily request a piece of encrypted information for the accounts and crack the material offline, gaining clear text credentials. **Attack** Rubeus allows us to simplify this attack by using the asreproast parameter on the tool, this will find all users with the vulnerability and request a ticket ![](/files/-MXP5RlMGvBMDMLG5l-k) We can see our user John Constantine has this preauth now we can copy this ticket and move it onto our cracking tool (hashcat) and grab some cleartext credentials. Be wary that a 23 needs to be added onto our hash as Rubeus does not do this for us `$krb5asrep$`**`23`**`$jconstantine@dominioncyber.local` ![](/files/-MXP5TQpouX2BbIAtiXT) After a moment with hashcat and adding some rules we can take a look that our word-list successfully cracked the password. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/active-directory/active-directory-attacks/as-rep-roasting.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.