AS-REP Roasting

The first phase of Kerberos where the client sends the encrypted timestamp with the password hash and the KDC returns the TGT only if it is valid, is called pre-authentication. If it is not present or is disabled, the client sends a TGT request specifying the username and the KDS returns the encrypted TGT with the hash of the user's password. However, this allows an attacker to make a false request for a certain user, obtain the encrypted TGT with the hash of that user's password and then perform offline cracking. By default, not requiring pre-authentication is disabled, but it is possible to enable it and you can often find configurations where it is enabled.

Attack

Remotely

Linux

impacket-GetNPUsers will attempt to list and get TGTs for those users who have the property "Do not require Kerberos pre-authentication". You must have the credentials of a domain user to perform the extraction.

GetNPUsers.py -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]>

GetNPUsers.py -dc-ip <IP_DC> -request -outputfile <OutputFile> <DOMAIN>/<USER[:PASSWORD]>

GetNPUsers.py -dc-ip <IP_DC> -no-pass -usersfile valid_ad_users.txt <DOMAIN>/

Offline cracking of file <OutputFile> with hashcat (-m 18200)

Locally

Targeted AS-REP Roasting

If an attacker has GenericWrite or GenericAll permissions over an account, they can enable "not requiring pre-authentication" and obtain the AS-REP ticket for offline cracking to recover the account's password before disabling the attribute again.