This blog post is another one on the well known Kerberos abuses. The attack is very similar to Kerberoasting where we scanned for service accounts and requested for RC4 ETYPES tickets and cracked TGS ticket offline. In AS-REP Roasting we will request for RC4 ETYPES TGT ticket and crack the TGT ticket offline. AS-REP Roasting comes with the following caveats:
- User Account should have been explicitly set to “Do not require Kerberos Pre-Authentication”
- Dependency on wordlist (Magical wordlist which could crack any complex password)
Now lets try to understand a little background about kerberos, In a windows kerberos environment when a user requests for TGT ticket (KRB_AS-REQ Message Type 10) the user has to supply time stamp encrypted with users key/password. The KDC then decrypts the time stamp to verify the user and then continues with normal authentication procedure. Pre-Authentication was basically built for preventing offline password cracking.
The above image depicts kerberos communication in a windows environment. To get a real feel about kerberos and how these communication works make sure you run a packet capture in the background and try to authenticate an application and have a look at the packets.
Now coming back to the AS-REP Roasting part lets assume that we already have domain user access (normal user with no special rights). we will be using harmj0y’s PowerShell script ASREPROAST . The good part about this script is it automatically identifies user account explicitly set to “Do not require Kerberos Pre-Authentication” and also requests for RC4 hash for the corresponding user and NO elevation rights are required to run the script.
On the cracking part we will be using Magnumripper – Community enhanced jumbo version of John The Ripper.
I have also created a video for AS-REP Roasting