killchain-compendium/Enumeration/AS-REP Roasting.md

AS-Rep Roasting

AS-REP Roasting targets account for which preauthentication is disabled. This means DONT_REQUIRE_PREAUTH for an account is enabled, and the DC skips the verification step. After event type 4768 the Pre_Authentication_Type=0 and event code 4769 and 4624 is never triggered. A service can be requested without any password check.

AS-Rep Roasting dumps user accounts which did not enable pre-authentication. This is somewhat similar to Kerberoasting but includes user accounts as well.

Usage

Impacket got GetNPUsers to check non pre-authenticated user accounts and find credentials.

impacket-GetNPUsers $TARGET_DOMAIN/ -dc-ip $TARGET_DC_IP -usersfile $USERS_FILE  -format hashcat -outputfile hashes.txt -no-pass