search
HomeGitHubPortfolioTwitter/XMediumCont@ct

7.3 - AS-REP Roasting

hashtag
AS-REP Roasting

AS-REP Roasting exploits accounts for which Kerberos preauthentication is disabled. In a typical Kerberos authentication process, the client must send a timestamp encrypted with its password-derived key. This serves as proof that the authentication request is not being replayed.

However, if preauthentication is disabled, the client does not need to send this encrypted timestamp. As a result, an attacker can request a Ticket Granting Ticket (TGT) for the target user and receive an AS-REP message encrypted with the user’s password hash.

hashtag
AS-REP Process

1) AS-REQ (Client -> KDC/AS)
   - Timestamp 🔑 Encrypted with Client key (only if preauthentication is enabled)

2) AS-REP (KDC/AS -> Client)
   - TGT 🔑 Encrypted with KDC key
   - TGS Session Key 🔑 Encrypted with Client key

In this case we can jump the first step because the preauth is disabled. Once an attacker captures the AS-REP, they can attempt to crack the user's password offline.

hashtag
Example: Exploiting AS-REP Roasting

Step 1: Create a User

New-ADUser -Name "asrep" -SamAccountName "asrep" -UserPrincipalName "asrep@dev-angelist.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force) -Enabled $true

Step 2: Disable Preauthentication

Win + R -> dsa.msc
User -> Properties -> Account -> Account Options -> Do not require Kerberos preauthentication

Or via PowerShell and check if the target accounts that have Kerberos pre-authentication disabled:

Step 3: Perform AS-REP Roasting using Impacket

Step 4: Crack the Ticket

hashtag
Other Resources

hashtag
Labs

Previous7.2 - User Enum in KerberosNext7.4 - Kerberoasting

Last updated