AS-REP roast → cracked user → Kerberoast → service-account admin

§ Context

Assumed environment: at least one account has DONT_REQUIRE_PREAUTH (UF_DONT_REQUIRE_PREAUTH) set, and at least one SPN-bearing service account uses a crackable password. Anonymous LDAP enumeration is allowed (or a single user is known).

§ Steps

1. 01
   KerberoastingCredential Access

   T1558.003— Kerberoasting

   GetUserSPNs.py -request <domain>/<user>

2. 02
   Dump LSASS / cached DA hashCredential Access

   T1003.001— LSASS Memory
3. 03
   Pivot via service accountInitial Access

   T1078— Valid Accounts

   Often a local admin on the target service host.

4. 04
   Authenticate as userInitial Access

   T1078— Valid Accounts
5. 05
   Crack TGS hashesCredential Access

   T1110— Brute Force

   hashcat -m 13100 — service-account passwords are often weaker than user passwords.

6. 06
   Offline hash crackCredential Access

   T1110— Brute Force

   hashcat -m 18200 -a 0 hashes.txt rockyou.txt

7. 07
   AS-REP RoastingCredential Access

   T1558.004— AS-REP Roasting

   GetNPUsers.py <domain>/ -no-pass -usersfile users.txt

8. 08
   User enumerationDiscovery

   T1087.002— Domain Account Discovery

   kerbrute userenum / rpcclient enumdomusers — list candidate accounts.

§ References

• T1558.003Kerberoasting
• T1003.001LSASS Memory
• T1078Valid Accounts
• T1110Brute Force
• T1558.004AS-REP Roasting
• T1087.002Domain Account Discovery

§ Frequently asked

What is the "AS-REP roast → cracked user → Kerberoast → service-account admin" attack path?

Anonymous attacker recovers a user password via AS-REP roasting, authenticates, kerberoasts a service account with weak password, and lands on a high-value server. It chains 8 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Kerberoasting (T1558.003) — a credential access primitive. Assumed environment: at least one account has DONT_REQUIRE_PREAUTH (UF_DONT_REQUIRE_PREAUTH) set, and at least one SPN-bearing service account uses a crackable password.

What is the final impact of this kill-chain?

The final step lands on User enumeration (T1087.002), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

  Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.

• Shared techniques2

  WPA2-PSK handshake capture + crack → LAN access

  Deauth a connected client to force re-association, capture the 4-way handshake with airodump-ng, crack the PSK offline with hashcat.

• Shared techniques2

  PMKID attack → offline crack with no client interaction

  WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak.

• Shared techniques2

  Rogue DHCP → DNS poisoning → MITM

  Bring up a faster DHCP server on the segment; new clients get attacker as gateway + DNS — strip HTTPS, capture creds, inject payloads.

• Shared techniques2

  SQLi (UNION) → DB dump → admin login

  Discover a UNION-based SQL injection on a search/listing endpoint, enumerate the schema, dump the users table, and authenticate as an admin.

• Shared techniques2

  LAPS read → local admin on every endpoint

  A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine.