What is As-Rep Roasting Attack?
As-Rep Roasting is an attack technique that targets Kerberos in environments where Pre-Authentication is disabled.
When Pre-Authentication is disabled, an attacker can request an Authentication Service (AS) Response Message (AS-Rep) for a user without needing to prove knowledge of their password. The Key Distribution Center (KDC) responds with an encrypted message (the AS-REP), which includes a part that is encrypted using the user’s password. The attacker can use tools like hashcat or johntheripper and attempt to crack it offline, revealing the user’s password.
How to identify vulnerable As-Rep Roast accounts in Active Directory?
In a Windows Active Directory (AD) environment, an attacker can use tools like PowerShell to search for accounts where Pre-Authentication is not enforced. These accounts can be identified by using the UF_DONT_REQUIRE_PREAUTH flag.
Get-ADUser -Filter {UserAccountControl -band 4194304} -Properties UserAccountControl
How to create vulnerable AS-Rep Roasting Account?
System administrators may create vulnerable accounts by disabling Pre-Authentication for specific users.
Step 1: Open Server Manager and navigate to Active Directory Users and Computers.
Step 2: Select the user account properties.
Step 3: Under the Account tab, check the option for Do not require Kerberos preauthentication.
Step 4: Apply the changes.
What are the tools used for performing As-Rep Roasting attack?
1. Ruberos
Rubeus is a command-line tool written in C# to abuse Kerberos authentication in Windows Active Directory environments
Rubeus.exe asreproast /domain:YourDomainName.local
This command will request AS-REPs for vulnerable accounts and output their encrypted credential hashes, which can be used for offline cracking.
2. Kerbrute
Kerbrute is another tool designed for brute-forcing and enumerating user accounts in Kerberos environments. It can also be used to exploit As-Rep Roasting vulnerabilities.
Kerbrute has four main commands:
- bruteuser – Bruteforce a single user’s password from a wordlist
- bruteforce – Read username:password combos from a file or stdin and test them
- passwordspray – Test a single password against a list of users
- userenum – Enumerate valid domain usernames via Kerberos
./kerbrute_linux_amd64 userenum -d 'server.local' --dc 10.0.0.203 ~/wordlists/user.txt
3. Impacket
Impacket is a Python library containing scripts for testing a wide variety of network protocols weakness. The GetNPUsers.py script can be used to exploit As-Rep Roasting.
Impacket is by default located on /usr/share/doc/python3-impacket/examples/ in Kali Linux.
Identify the vulnerable As-Rep roast accounts using Impacket.
python3 GetNPUsers.py -userfile username.txt -dc-ip 10.0.0.203 server.local/
Drop password hash for vulnerable As-Rep roast accounts.
python3 GetNPUsers.py -userfile username.txt -request -dc-ip 10.0.0.203 "server.local/"
How to crack the hash?
Once the attacker obtains the AS-REP encrypted data, it can be brute-forced offline using tools like Hashcat.
hashcat -m 18200 hash.txt wordlist.txt -o Cracked.txt
The -m 18200 parameter specifies the mode for Kerberos 5 AS-REP hashes. If successful, this process will reveal the plaintext password for the user.
How to stop As-Rep Roast attack?
Step 1: Identify the vulnerable accounts
Get-ADUser -Filter {UserAccountControl -band 4194304} -Properties UserAccountControl
Step 2: Open Server Manager and navigate to Active Directory Users and Computers.
Step 3: Select the user account properties.
Step 4: Under the Account tab, uncheck the option for Do not require Kerberos preauthentication.
Step 5: Apply the changes.
Read about: How to exploit Access Control List?
What is Access Control List (ACL) and How to exploit it in Active Directory?
