AES-REP roasting is basically kerberoasting for regular user accounts. The only requirement to roast a user account is that Kerberos pre-authentication is disable.

(When pre-authentication is disabled, the authentication server will supply a ticket granting ticket and a session key automatically when requested, without first verifying the user. This data is then stored offline by the Windows machine for later decryption when the user with pre-authentication disabled logs in. But this means that all we need to do is to break the user’s NT hash!)

AS-REP Roasting Using Impacket

AS-REP roasting with Impacket

Impacket (via GetNPUsers.py) support AS-REP roasting. However, GetNPUsers.py requires that user accounts already be enumerated and roastable accounts identified.

When using GetNPUsers.py, specify the target as ${DOMAIN}/ (i.e., leave off the user-part).

Link to original

AS-REP Roasting Using Rubeus

AS-REP roasting With Rubeus

# AS-REP roasting with Rubeus.
#
Rubeus.exe asreproast

To use Hashcat to crack the hashes obtained in this fashion, first insert 23$ after the leading $kerb5asrep$ (so $kerb5asrep$$kerb5asrep$23$) and then use mode 18200.

Link to original

Defenses

Basically the only mitigation for this attack is to keep pre-authentication enabled, though strong password policies can help.