AES-REP roasting is basically kerberoasting for regular user accounts. The only requirement to roast a user account is that Kerberos pre-authentication is disable.
(When pre-authentication is disabled, the authentication server will supply a ticket granting ticket and a session key automatically when requested, without first verifying the user. This data is then stored offline by the Windows machine for later decryption when the user with pre-authentication disabled logs in. But this means that all we need to do is to break the user’s NT hash!)
Impacket
AS-REP roasting with Impacket
Impacket (via GetNPUsers.py) support AS-REP roasting. However, GetNPUsers.py requires that user accounts already be enumerated and roastable accounts identified.
When using GetNPUsers.py, specify the target as ${DOMAIN}/ (i.e., leave off the user-part).
# AS-REP roasting with Rubeus.#Rubeus.exe asreproast
To use Hashcat to crack the hashes obtained in this fashin, first insert 23$ after the leading $kerb5asrep$ (so $kerb5asrep$ → $kerb5asrep$23$) and then use mode 18200.