AS-REP Roasting Attack
Definition
AS-REP Roasting is an attack against Kerberos for user accounts that do not require pre-authentication. preauthentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.
Theory & Background
During preauthentication, a user will enter their password which will be used to encrypt a timestamp, send that to domain controller and then the domain controller will attempt to decrypt it and validate request. From there, the TGT will be issued for the user to use for future authentication.
The AS-REP response has two parts one is the TGT ticket encrypted using the KRBTGT Account's NTLM hash and another one is the session key (enc-part in image 2) which is encrypted using user account's NTLM hash. If preauthentication isn’t enabled, an attacker can send an AS-REQ for any user that doesn’t have preauth required and receive a bit of encrypted material back that can be cracked offline to reveal the target user’s password. If you’re already an authenticated (but otherwise unprivileged) user, you can easily enumerate what users in the domain have this setting with the LDAP filter (userAccountControl:1.2.840.113556.1.4.803:=4194304).
Luckily, preauthentication is required by default in Active Directory. However, this can be controlled by a user account control setting on every user account
My Lab environment for this lab is:
blackwidow@REDWOLF.LOCAL - User with kerberos preauthentication disabled
redwolf-dc - Domain Controller
Abuse
There are so many tools that can be used to perform AS-REP Roasting attack, however i will be demonstrating with Rubeus (for windows) and GetNPUsers.py (for linux) from impacket scripts.
Execution with Rubeus
Users that have Pre-Authentication disabled (This command requires powerview to be loaded on the memory)
Then we can use Rubeus.exe to dump the session key present in AS-REP
Execution with GetNPUsers
Install the impacket scripts
Enumerate the list of users present in the domain and use it while executing GetNPUsers.py
Cracking the AS-REP Hash
Say this is the hash we get for the potential victim:
We need into insert 23
after $krb5asrep$
Then we can use john or hashcat tool to crack the hash
Mitigation
Uncheck 'Do not require Kerberos preauthentication' in the Account Options of the user account
References
Last updated