AS-REP roasting targets Active Directory accounts that have theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
DONT_REQ_PREAUTH flag set in their userAccountControl attribute. Because the KDC returns an AS-REP without verifying the caller’s identity first, anyone on the network can request one and receive a response whose encrypted portion is derived from the account’s password. Rubeus enumerates vulnerable accounts via LDAP and issues AS-REQs for each, outputting the resulting hashes in Hashcat or John the Ripper format for offline cracking — no elevated privileges required.
Flag Reference
Target a specific user account instead of enumerating all vulnerable accounts, e.g.
/user:jsmith or /user:corp.local\jsmith. When a domain prefix is included it overrides /domain. Supplying /user avoids the LDAP enumeration step entirely.Domain to query for pre-auth-disabled accounts, e.g.
/domain:corp.local. Defaults to the current machine’s DNS domain when omitted.Domain controller to send AS-REQs and LDAP queries to, e.g.
/dc:DC01.corp.local. Defaults to the domain’s default DC.Restrict LDAP enumeration to a specific Organizational Unit, e.g.
/ou:"OU=Users,DC=corp,DC=local". Only accounts within that OU are considered.Use LDAPS (port 636) instead of plain LDAP (port 389) for account enumeration. Use when standard LDAP is firewalled or when an encrypted channel is required.
Alternate domain account to authenticate LDAP enumeration with, e.g.
/creduser:corp.local\svcBackup. Must be in domain\user format. Requires /credpassword.Password for the alternate credential user specified with
/creduser, e.g. /credpassword:P@ssw0rd. Both flags must be supplied together.Append a custom LDAP filter to the base enumeration query, e.g.
/ldapfilter:'admincount=1'. The filter is ANDed with the default pre-auth enumeration filter, allowing precise targeting of a subset of accounts.Request DES-encrypted AS-REP responses instead of the default RC4. DES support is rare in modern environments but may be needed against legacy domain configurations.
Request AES-encrypted AS-REP responses. Produces AES-based hashes rather than the default RC4 (
etype 23). Useful when accounts only support AES or when you need AES hashes specifically.Output format for the extracted hashes. Accepted values are
hashcat and john. Defaults to john when omitted. Use hashcat to produce $krb5asrep$23$... prefixed hashes directly consumable by Hashcat mode 18200.Write extracted hashes to a file instead of (or in addition to) console output, e.g.
/outfile:asrep_hashes.txt. Each hash is written on its own line.Prevent base64 blobs from being line-wrapped at 80 characters in the console output. Useful when copying output for downstream tools.
Usage Examples
Rubeus enumerates pre-auth-disabled accounts via an LDAP query against the target domain, so valid domain credentials are required for the enumeration phase. If you already know which account is vulnerable, supply
/user:TARGET directly — this issues the AS-REQ immediately without any LDAP query, and works even from an unauthenticated context (e.g. from outside the domain with /dc pointing at a reachable KDC).