AS-REP Roasting
Last updated
Last updated
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthenticatiion by Password Cracking Kerberos messages.
Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communications with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If any and only if the DC is able to successfully decrypt the timestamp with the hash of the user's password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket(TGT) to the user. Part of the AS-REP message is signed with the user's password.
For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials.
An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like PowerShell with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data.
Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.
Example
As worked previously with Kerberoasting we will use Impacket tools to achieve our goal (Please do remember that this can also be achieved with other tools [Rubeus, PowerShell]). We will first find a user with our credentials form a domain user that we already have access to.
Once this is achieved we want to save the hash and crack it.
This is a very great technique when enumerating Domain users and you manage to find a user with the
DONT_REQ_PREAUTH value and use this technique to gain credentials.
References: