AES-REP roasting is basically kerberoasting for regular user accounts. The only requirement to roast a user account is that Kerberos pre-authentication is disable.
(When pre-authentication is disabled, the authentication server will supply a ticket granting ticket and a session key automatically when requested, without first verifying the user. This data is then stored offline by the Windows machine for later decryption when the user with pre-authentication disabled logs in. But this means that all we need to do is to break the user’s NT hash!)
AS-REP Roasting Using Impacket
AS-REP roasting with Impacket
Impacket (via GetNPUsers.py) support AS-REP roasting. However, GetNPUsers.py requires that user accounts already be enumerated and roastable accounts identified.
When using GetNPUsers.py, specify the target as
Link to original${DOMAIN}/
(i.e., leave off the user-part).
AS-REP Roasting Using Rubeus
AS-REP roasting With Rubeus
To use Hashcat to crack the hashes obtained in this fashion, first insert
Link to original23$
after the leading$kerb5asrep$
(so$kerb5asrep$
→$kerb5asrep$23$
) and then use mode 18200.
Defenses
Basically the only mitigation for this attack is to keep pre-authentication enabled, though strong password policies can help.