AS-REPRoasting
If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password. This configuration is enabled on the User Object and is often seen on accounts that are associated with Linux systems. The technique requires the user's username to send a packet to the KDC.
As we learned in while getting a overview of the Kerberos Authentication process, if an account has pre-authentication disabled, an attacker can obtain an encrypted TGT for the affected account without any prior authentication. If the password for the user is weak it's possible to crack the obtained hash and compromise the account as the authentication is only encrypted with the user's password.
To enumerate for AS-REPRoasting we can use tools like ADSearch, Powerview and Impacket
To perform the attack we can use Impacket or Rubeus
In order to crack the hash we can use --format=krb5asrep --wordlist=wordlist squid_svc for john or -a 0 -m 18200 squid_svc wordlist for hashcat.
If we compromise an account with GenericAll permissions over another user, we can set the DONT_REQ_PREAUTH attribute to make the user susceptible to AS-REPRoasting - this is a more subtle option to changing the user's password directly but requires its password to be weak in order for us to crack the hash.
OPSEC ASREPRoasting with will generate a 4768 event with RC4 encryption and a preauth type of 0.
Last updated