AS-REP Roast

Targeted Kerberoasting - AS-REPs

• If a user's UAC setting has preauthentication disabled, then it is possible to grab user's crackable AS-REP (Authentication Service Response) and bruteforce it offline.

• With GenericWrite or GenericAll rights, Kerberos preauth can be forced disabled as well.

Enumerate accounts with Kerberos Preauth disabled:

Force disable Kerberos Preauth and enumerate the permissions for RDPUsers on ACL using PowerView

Request encrypted AS-REP for offline bruteforce.

Let's use ASREPRoast

To enumerate all users with Kerberos preauth disabled and request a hash:

Finally, crack the hashes offline: