# AS-REP Roasting(Cleanin)

### What is AS-REP Roasting?

Remember preauthentication from the Kerberos flow? That's exactly what this attack abuses.

By default, when a user sends an AS-REQ to the Authentication Server, they must include a timestamp encrypted with their password hash. This is called Kerberos preauthentication. The AS uses this to verify the user. Without it, anyone could send an AS-REQ for any username and get a response back.

But some accounts have preauthentication disabled, specifically the setting **"Do not require Kerberos preauthentication"** enabled on the user object. When this is set, the AS will respond to any AS-REQ for that account without verifying the requester knows the password first.

And here's the dessert, the AS-REP response contains data encrypted with the user's password hash. we save this hash and crack it offline using tools like hashcat.

#### Who can be vulnerable?

Any user account with "Do not require Kerberos preauthentication" enabled. This is sometimes set intentionally by admins for legacy application compatibility, or left on accidentally. In most environments only a handful of accounts have this set, but it only takes one with a weak password.

#### How to detect & exploit?

GetNPusers.py tools:

how getnpuser works - the tool craft the first message without using any timestamp means without PA-DATA, send it to KDC for each username and observe the response. The response either be an error saying "KDC\_ERR\_PREAUTH\_REQUIRED" (means not vulnerable) or KDS returns a message encrypted with user's hash.

```
 GetNPUsers.py -no-pass  -usersfile user.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.129.95.180 'EGOTISTICAL-BANK.LOCAL/'
```

<figure><img src="/files/puqsZ35h30rfMw86OrVm" alt=""><figcaption></figcaption></figure>

the hash format `$krb5asrep$23$` tells you the encryption type is RC4-HMAC. Some environments enforce AES-only Kerberos, which produces a different hash type that is significantly harder to crack like `$krb5tgs$18$` that's AES-256. RC4 is the weak one, always check the hash prefix.

crack offline with hashcat, the mode is 18200.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kaizoku.gitbook.io/notes/active-directory/as-rep-roasting-cleanin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.