AS-REP roasting is an attack on Kerberos that involves cracking the user’s password from AS-REP. Directly requesting an AS-REP requires pre-authentication to be disabled. AS-REP can be roasted like TGS-REP to obtain the plaintext password of the user.
OPSEC warning
AS-REP roasting generates a 4768 event (with ticket encryption type: RC4 and preauth type: 0).
Kibana:
event.code: 4768 and winlog.event_data.PreAuthType: 0 and winlog.event_data.TicketEncryptionType: 0x17
To find accounts vulnerable to AS-REP roasting (i.e. preauthentication disabled) using ADSearch:
To obtain an AS-REP in hash format using Rubeus:
To crack the hash offline: