AS-REP Roasting
Last updated
Last updated
AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication. This is explained in pretty thorough detail in HarmJ0y's post. Pre-Authentication is the first step in Kerberos authentication and is designed to prevent brute-force password guessing attacks.
During preauthentication, a user will enter their password which will be used to encrypt a timestamp, and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying previous requests. From there the TGT will be issued for the user to use for future authentication. If preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an encrypted TGT that can be brute-forced offline.
What's the risk?
If we can enumerate accounts in a Windows domain that do not require Kerberos preauthentication, we can now easily request a piece of encrypted information for the accounts and crack the material offline, gaining clear text credentials.
Attack
Rubeus allows us to simplify this attack by using the asreproast parameter on the tool, this will find all users with the vulnerability and request a ticket
We can see our user John Constantine has this preauth now we can copy this ticket and move it onto our cracking tool (hashcat) and grab some cleartext credentials.
Be wary that a 23 needs to be added onto our hash as Rubeus does not do this for us
$krb5asrep$
23
$jconstantine@dominioncyber.local
After a moment with hashcat and adding some rules we can take a look that our word-list successfully cracked the password.