Question

AS-REP roasting targets accounts that don't require pre-authentication. How do attackers exploit this flaw to extract and crack password hashes?

Answer 1

Understanding AS-REP Roasting and Its Exploitation

Overview

AS-REP Roasting is a technique that targets Active Directory (AD) environments where Kerberos pre-authentication is disabled. In such configurations, attackers can request encrypted authentication responses for user accounts without needing to prove knowledge of the user's password. These encrypted responses, known as AS-REPs, can then be subjected to offline brute-force attacks to extract the user's plaintext password.​

How AS-REP Roasting Works

1. Identifying Vulnerable Accounts: Attackers first identify user accounts where Kerberos pre-authentication is disabled. This can be achieved through enumeration tools or by querying Active Directory for accounts with the "Do not require Kerberos preauthentication" flag set.​

2. Requesting Authentication Data: Once a vulnerable account is identified, the attacker sends an Authentication Service Request (AS-REQ) to the Key Distribution Center (KDC) for that account. Since pre-authentication is disabled, the KDC responds with an Authentication Service Response (AS-REP) containing a Ticket Granting Ticket (TGT) encrypted using the user's password hash.​

3. Cracking the Password Hash: The attacker then extracts the encrypted TGT from the AS-REP and attempts to crack it offline using tools like Hashcat or John the Ripper. If the user's password is weak or commonly used, the attacker may successfully recover the plaintext password.​

Tools for Exploitation

• Rubeus: A powerful tool for Kerberos ticket manipulation and extraction. Using the command Rubeus.exe asreproast, attackers can automatically identify accounts with disabled pre-authentication and extract AS-REP hashes for offline cracking.

• Impacket: A collection of Python classes for working with network protocols. The GetNPUsers.py script can be used to enumerate accounts with disabled pre-authentication and request AS-REPs.​

• Hashcat: A fast and flexible password cracker. Once AS-REP hashes are obtained, Hashcat can be used to perform offline cracking attempts.

Mitigation Strategies

1. Enable Kerberos Pre-Authentication: Ensure that all user accounts require Kerberos pre-authentication. This can be enforced through Group Policy or by using PowerShell scripts to modify user account properties.​

2. Regular Audits: Periodically audit Active Directory to identify and remediate accounts with pre-authentication disabled. Tools like Purple Knight can assist in this process.​

3. Strong Password Policies: Implement and enforce strong password policies to make offline cracking attempts more difficult.​

4. Monitor for Suspicious Activity: Set up alerts for unusual authentication patterns or the use of tools like Rubeus to detect potential AS-REP Roasting attacks.​

AS-REP Roasting is a significant threat in Active Directory environments with misconfigured accounts. By understanding how this attack works and implementing the recommended mitigation strategies, organizations can reduce their exposure to this type of credential theft.​