AS-REP ROASTING
Users with Kerberos Pre-Authentication disabled are more likely to be vulnerable to AS-REP Roasting
KERBEROS PRE-AUTH DISABLED
Enumerate domain users without Kerberos Pre-Authentication
PowerView
AS-REP Roasting for the specific user to get the crackable hash
ASREPRoast
KERBEROS PRE-AUTH NOT DISABLED
Kerberos Pre Authentication is enabled by default
To perform AS-REP Roasting, Kerberos Pre-Auth should be disabled for a specific user
We need "GenericAll" or "GenericWrite" permission on ACL to modify the Kerberos Pre-Auth
Attacker should be a part of any AD object same as Victim
Forcefully disabling the Kerberos Pre-Auth
Verifying the Kerberos Pre-Auth Property for the user
AS-REP Roasting for the specific user to get the crackable hash
ASREPRoast
CRACK
Last updated