AS-REP Roast
Targeted Kerberoasting - AS-REPs
If a user's UAC setting has preauthentication disabled, then it is possible to grab user's crackable AS-REP (Authentication Service Response) and bruteforce it offline.
With GenericWrite or GenericAll rights, Kerberos preauth can be forced disabled as well.
Enumerate accounts with Kerberos Preauth disabled:
Force disable Kerberos Preauth and enumerate the permissions for RDPUsers on ACL using PowerView
Request encrypted AS-REP for offline bruteforce.
Let's use ASREPRoast
To enumerate all users with Kerberos preauth disabled and request a hash:
Finally, crack the hashes offline:
Last updated