AS-REP Roasting

Forging Kerberos Ticket's with AS-REP Roasting
asrep-roasting

AS-REP Roasting is a technique that exploits a weakness in the Kerberos protocol during initial authentication with the key distribution centre(KDC)

During the  authentication stage, a user requests a Ticket Granting Ticket (TGT) from the KDC in the form of a AS-REQ packet.If the account exists, the KDC will return a TGT encrypted with the account’s credentials, meaning that only a valid user or machine possessing the valid credentials is able to decrypt the ticket.

Any user who is able to make a request to the KDC can also request a TGT for any arbitrary user. That allows an attacker to receive an encrypted ticket which can then be brute forced offline to retrieve the password.

If a user’s UserAccountControl settings have “Do not require Kerberos preauthentication” enabled i.e. Kerberos preauth is disabled, it is possible to grab user’s crackable AS-REP and brute-force it offline.

Enumerating accounts with Kerberos Preauth disabled using Powerview

Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose

TextDescription automatically generated

if we want to check for a specific user we can do

Get-DomainUser username | ConvertFrom-UACValue

and check if it  has DONT_REQ_PREAUTH property

Graphical user interfaceDescription automatically generated with low confidence

In case we don’t have preauth disabled but we have  GenericWrite or GenericAll rights.We can force kerberos preauth disabled. To do so we need to add 4194304(dont_req_preauth) property flag on the user.

Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose

TextDescription automatically generated

Request encrypted AS-REP for offline brute-force.

We will use ASREPRoast but you can do it with Rubeus too.

Get-ASREPHash function, wraps New-ASReq to generate the appropriate AS-REQ for a given user/domain, enumerates the DC for the passed domain and sends the crafted AS-REQ and receives the response bytes

Get-ASREPHash -Domain domain -UserName username -Verbose

We can also use the Invoke-ASREQRoast function to find all the users that dont require kerberos preauthentication:

Invoke-ASREQRoast -Verbose | fl

Graphical user interface, textDescription automatically generated

Cracking AS-REP Hashes with HashCat

we need to add 23 after the $krb5asrep like this:

[email protected]:….

and crack it

! hashcat -m 18200 -a 3 -O '[email protected]:...' /path/to/wordlist

TextDescription automatically generated

Mitigation

To defend against ASRepRoasting you need to search and identify for user accounts that are set to not require Kerberos pre-authentication and remove any instances of it. You can find these accounts by using a LDAP filter query

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Another countermeasure is the use of long, complex passwords that are not found in breached wordlists, to make it harder for the attacker to crack them.

Share on social media

Share on linkedin
Share on facebook
Share on twitter

Get A Service Quote

Stay Connected

Test the effectiveness of your security controls before malicious parties do.
We pride ourselves on being unique and thorough.
We understand the need of your organisation and yours too.​

Social & Contact INFO

Drop us a message