Description
Performs AS-REP roasting to extract hashes for accounts without Kerberos pre-authentication.
Overview
Performs AS-REP roasting against accounts that do not require Kerberos pre-authentication. Extracts encrypted AS-REP data that can be cracked offline to recover plaintext passwords. Can target specific users or enumerate vulnerable accounts via LDAP.
Arguments
| Parameter | Type | Description |
|---|---|---|
| User | string | The specific user to target. If omitted, enumerates all vulnerable accounts. |
| Domain | string | The target domain. Defaults to the current domain. |
| DC | string | The domain controller to target. |
| OU | string | The OU to search within. |
| Format | string | The hash output format (Hashcat or John). |
| CredUser | string | Alternate credentials username for LDAP queries. |
| CredPassword | string | Alternate credentials password for LDAP queries. |
Additional Parameters
- LdapFilter: Custom LDAP filter for user enumeration.
- Ldaps: Use LDAPS instead of LDAP.
- AES: Request AES encrypted AS-REP.
- DES: Request DES encrypted AS-REP.
Dependencies
- AD
Operating Systems
- Windows