> For the complete documentation index, see [llms.txt](https://ad-lab.gitbook.io/building-a-windows-ad-lab/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3.md).

# AS-REP Roasting

## Configuring

### Prerequisite&#x20;

{% content-ref url="/pages/fcJpYDAkCr8gq4FZdjWc" %}
[Password spraying](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/password-spraying.md)
{% endcontent-ref %}

### Configuring

1. Login on `DC02` with the username `Administrator` and password `Welcome01!`.
2. Open the "Active Directory Users and Computers" administration tool on `DC02`.

<div align="left"><img src="/files/QuHcgz1vNsz87bOEaoBb" alt=""></div>

3\. Click on "View" and enable "Advanced Features".

<div align="left"><img src="/files/99Qopmx6tPWWC5518zD0" alt=""></div>

4\. Open "Users", right click the user `banktest` and click on "Properties"

5\. Open "Account" and scroll to the bottom in "Account options", then select "Do not require kerberos preauthentication".

<div align="left"><img src="/files/YBmcTxVW5iwuP6kEODBX" alt=""></div>

6\. Click on "Apply" and "OK".

## Attacking

### How it works

When pre-authentication is not required, an attack can directly send a request for authentication. The KDC will return an encrypted TGT and the attacker can extract the hash and brute-force it offline.

### Tools

* [Crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec)

### Executing the attack

AS-REP roasting was already covered in the Initial Access Attacks section.&#x20;

{% content-ref url="/pages/fBAwcQwf43xhEL23msGy" %}
[AS-REP Roasting](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/username-enumeration/as-rep-roasting.md)
{% endcontent-ref %}

But since we have a set of valid credentials of the domain now, we could request a list of all usernames and check for AS-REP roastable users. During the Initial Access AS-REP Roasting we used a example script from Impacket. But there are more tools that can accomplish the same thing, such as Crackmapexec.

1. Use the discovered credentials `john` and password `Welcome2022!` with crackmapexec to authenticate over ldap and AS-REP roast all roastable users.

```
crackmapexec ldap 10.0.0.3 -u john -p Welcome2022! --asreproast asreproast.txt
```

<div align="left"><img src="/files/l1JXT9cHB4EqwXGYtFlk" alt=""></div>

2\. We retrieved two hashes, one new one from `bankuser`. Lets crack it with hashcat and use the passwordlist we created earlier during the passwordspray. The hashcat parameters are:

* Crackingmode: `-a 0` for using a wordlist
* Hashmode: `-m 18200` for Kerberos 5, etype 23, AS-REP
* List with hashes: `asreproasting.txt`
* Passwords list: `passwords.txt`

```
hashcat -a 0 -m 18200 asreproast.txt passwords.txt
```

![](/files/gDWTgHTegH7Ti0h9ldA9)

We successfully cracked the password of the user `bankuser`, the password is `Bank2022!`.

## Defending

### Recommendations

* Periodically check for users that don't require pre-authentication and remove the attribute.

Check for users with the attribute:

```
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Select-Object samAccountName
```

Remove the attribute for a single user:

```
Set-ADAccountControl -DoesNotRequirePreAuth $false -Identity <USER>
```

Check for users with the attribute and remove it:

```
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Set-ADAccountControl -DoesNotRequirePreAuth $false
```

* If pre authenticatio is required. Use strong passwords (at least 32 characters).

### Detection

## References

{% embed url="<https://github.com/byt3bl33d3r/CrackMapExec>" %}
