Like Kerberoasting, ASREPRoasting is an attack that ends with offline cracking of an encrypted password hash for an account in an Active Directory domain. All it takes is an account with DONT_REQ_PREAUTH enabled.
From Microsoft, the definition of this setting:
DONT_REQUIRE_PREAUTH – (Windows 2000/Windows Server 2003) This account doesn’t require Kerberos pre-authentication for logging on.
And consider that even once you ASREP Roast an account, its password can be hard to crack if it is a strong one.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Table of Contents
What Is Kerberos?
Kerberos is named after the three-headed guard dog of Hades (Cerberus) from Greek mythology. It is an authentication protocol that consists of three parts. These are the Kerberos Key Distribution Center, the client, and the server.
User yourmom sends a request to the KDC for a Ticket Granting Ticket. The KDC receives the username and looks it up in the database to see if the user exists. Yourmom’s request is called a Kerberos Authentication Service Request (KRB_AS_REQ).
The KRB_AS_REQ request contains information encrypted by the hashed password of the user requesting it. The KDC uses yourmom’s hashed password to decrypt the encrypted data in the KRB_AS_REQ.
Windows 2000 and later versions use Kerberos as the default authentication method. The Domain Controller provides the Authentication Service and the Ticket Granting Service. A client connecting to their device sends an authorization request to the DC and is met by the AS first. The account password is looked up, and then the TGT is created, granting a session.
How ASREPRoasting Works
Here is an overview of how ASREPRoasting works:
- The Kerberos Key Distribution Center decrypts that timestamp in order to verify the request is that user.
- If the AS-REQ is valid, then the KDC returns an AS-REP response.
- When DONT_REQ_PREAUTH is enabled, an attacker can send an AS-REQ for that user, and receive an AS-REP reply with an encrypted portion that can be cracked to steal the password.
Basically ASREPRoasting can be summed up by the following.
[] Using domain controller: BEHDC.testlab.local (10.0.0.33) [] Building AS-REQ (w/o preauth) for: ‘testlab.local\svc-legacyapp’
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash: (crack me now)
Let’s have a look at Wireshark.
In this example I just executed the attack and it completed. Look for the AS-REQ and AS-REP in the Wireshark packets.
When To Do ASREPRoasting
Imagine that so far I have obtained the credentials for a low level user, but valid authenticated user nonetheless, bobjones.
While we now have a user account’s credentials there are still other methods to be employed and credentials to be captured at this stage. Going further along the theme of attacking the way Kerberos authenticates users in a network, we will now attack Kerberos itself.
Kerberos preauthentication is a feature that is not supposed to be disabled, but the choice to exists in Active Directory. Attacks on accounts with this valuable security feature disabled work in a similar fashion to LLMNR/NBT-BIOS poisioning. AS_REP response contains random bit of data that is encrypted with the NTLM plaintext password for the user authenticating.
By using an LDAP query you can grab a list of users without Kerberos pre-authentication in their domain accounts.
The benefit of performing an LDAP query is that the downside is that a domain account is required. Since I have one, I could do an LDAP query, but I will instead use another script later on in this post.
The example here references the online ethical hacking course Become An Ethical Hacker. The account svc-legacyapp is a fictional service account associated with an old enterprise app in the ethical hacking lab. Imagine that in order to facilitate users managing the app the enterprise gave the account’s security least priority.
How To Do ASREPRoasting
To demonstrate how to do ASREPRoasting I will use Impacket’s script GETNPUsers.py. The beauty of using this script is that you don’t have to know the password for a user account. Just by specifying a username the script is able to obtain an NTLMv2 response from the KDC.
First a list of users can used or a single user can be chosen.
The following command will search for all users by supplying valid credentials.
[kali@kali:~] python GetNPUsers.py testlab.local/bobjones:Password1 -format john -outputfile hashes.crackme -dc-ip 10.0.0.33
The following command will search for all users by supplying valid credentials.
The output of this script suggests that the account svc-legacyapp is ASREPRoastable, meaning it has the insecure setting enabled.
So that means an account is ASREPRoas-able, but how does that take place? For that I use Rubeus to perform the attack.
Rubues is kind enough to craft an AS-REQ request to the KDC on our behalf and feed us the AS-REP response. The AS-REP response is encrypted as you know now, with the NTLM we want to crack.
ASREPRoasting can be done with several popular attack platforms such as Covenant. ASREPRoasting with Covenant is done by first getting a new Grunt, a command and control agent running on the target once a Stager payload has been executed in memory.
The Covenant ASREPRoasting command will perform the attack and spit out a hash that I can crack using John or Hashcat.
Cracking ASREP Hash
The hash that comes out of ASREPRoasting attack tools is formatted in the type Kerberos 5 AS-REP etype 23, according to Hashcat. The difference in Kerberoasting and ASREPRoasting is that cracking the encrypted response is done by targeting two different hash types, one is 13100 and the other is 18200.
It will look something like this. [email protected]:adfs3sa63vbj6bj8
In order to crack the hash you have to $23 to it. As such – [email protected]:adfs3sa63vbj6bj8
The following command can be used to crack the Kerberos AS-REP hash to reveal the password of the service account which was given the Do Not Require Kerberos Preauthentication setting in Active Directory.
[kali@kali:~] hashcat -m 18200 hashes.txt -a 6 rockyou.txt ?d?d?d?d
Once I added the $23 the hash is accepted by Hashcat and it cracks the hash easily given the rule I have provided it.
How To Defend Against ASREPRoasting
Since Kerberos authentication is the default service used in Windows environments to allow authentication in a Windows environment you can’t just turn it off to mitigate this threat.
What you can do to defend against ASREPRoasting:
- Search for and identify accounts with this insecure setting enabled, “Do Not Require Kerberos Authentication”. A simple LDAP filter query can be used to find it or any of the attack scripts such as the one by Impacket can identify them as well.
- Enforce complex and lengthy passwords for Active Directory user accounts, specifically those used as service accounts. This means any account with the Service Principal Name is vulnerable to enumeration to be used in this attack.
- Be mindful to limit permissions for service accounts.
How To Detect ASREPRoasting
Like I mentioned before Kerberoasting and ASREPRoasting are similar, but not the same. A Windows Security Event Viewer event log can show that the TGS ticket was requested on behalf of a service account. This could be legitimate, but worth looking into.
This is literally the request that happened when I fired off Rubeus.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.