Skip to main content

AS-REP Roasting (Internal/External)

AS-REP Roasting

If Kerberos pre-authentication is disabled on a user account in Active Directory, this will enable an attacker to forge a request for a TGT as this specific user. This is because, pre-authentication -- when enabled -- requires the user to hash the timestamp using said user's password in the initial TGT request. With this option disabled -- and no hashing of the timestamp required in the TGT -- an attacker can spoof the request as the target user.

What's the Danger?

If pre-authentication is disabled, the TGT returned by Kerberos is hashed using the target user's password. If a weak cipher is being used or if the user has set a particularly weak password, an attacker could easily crack the hash and reveal the user's plaintext password. -usersfile users.txt -no-pass -dc-ip dc-ip-here domain.tld/
# Crack the hash
john --wordlist=rockyou.txt hash.txt

If successfully cracked, this plaintext password could be leveraged to enumerate additional information about the domain; or used in additional attacks depending on the user privilege level.