Hunting AS-REP Roasting Attack

AS-REP Roasting: Understanding and Mitigating the Threat

AS-REP Roasting is a Kerberos attack targeting accounts with pre-authentication disabled. This enables attackers to request and receive encrypted Ticket Granting Tickets (TGTs) from the Key Distribution Center (KDC) without proving their identity. The attacker can then crack the TGT offline to gain access to credentials.

Attack Workflow

  1. Enumerate User Accounts:

    • Attackers identify accounts with Kerberos pre-authentication disabled.

  2. Request TGT:

    • A TGT is requested from the KDC for the targeted account.

  3. Receive Encrypted TGT:

    • The KDC responds with an encrypted TGT using the account’s password hash.

  4. Offline Hash Cracking:

    • The attacker cracks the TGT offline using tools like John the Ripper or Hashcat.

Executing AS-REP Roasting

1. User Enumeration

Use kerbrute to identify valid domain accounts:

./kerbrute_linux_amd64 userenum -d CYBERCONSULTING.org --dc 192.168.230.140 users.txt

2. AS-REP Roasting with Impacket

Identify accounts with pre-authentication disabled using GetNPUsers.py:

python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py CYBERCONSULTING.org/ -dc-ip 192.168.230.140 -user users.txt -no-pass -format john

3. Crack the Hash

Use John the Ripper to crack the extracted hash:

john --wordlist=pass.txt hash.txt

Alternative Tools

  • Rubeus: A tool for performing Kerberos-related attacks, including AS-REP Roasting, from a compromised system.

Detection Techniques

Detecting AS-REP Roasting can be challenging as it mimics legitimate Kerberos traffic. However, specific Windows Security Event Logs can reveal suspicious activity:

Event ID 4768

  • Logs TGT requests from the KDC.

Legitimate Event Example:

  • Encryption Type: 0x12 (AES-256).

  • Pre-Authentication Type: Non-zero value.

Suspicious Event Example:

  • Encryption Type: 0x17 (RC4 encryption).

  • Pre-Authentication Type: 0 (disabled).

Hunting Strategy

To identify AS-REP Roasting attempts, query for Event ID 4768 on the Domain Controller and filter based on the following criteria:

  • Ticket Encryption Type: 0x17 (RC4).

  • Pre-Authentication Type: 0.

Example Query for SIEM:

(EventID=4768) AND (TicketEncryptionType=0x17) AND (PreAuthType=0)

Mitigation Steps

1. Identify Accounts with Pre-Authentication Disabled

Run this command on the Domain Controller to find vulnerable accounts:

get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}

2. Enforce Pre-Authentication

Ensure that pre-authentication is enabled for all accounts:

  • Modify account settings to enforce pre-authentication.

3. Enforce Strong Password Policies

  • Implement complex and lengthy password requirements.

  • Use multi-factor authentication (MFA) to reduce reliance on passwords alone.

4. Monitor and Alert

  • Continuously monitor Event ID 4768 for suspicious TGT requests.

  • Implement SIEM alerts to detect AS-REP Roasting patterns.

Key Points

AS-REP Roasting exploits accounts with disabled pre-authentication to obtain encrypted TGTs, enabling offline password cracking. To defend against this attack:

  • Monitor Event ID 4768 for RC4-encrypted tickets and disabled pre-authentication.

  • Enforce pre-authentication across all accounts.

  • Strengthen password policies to mitigate the risk of successful offline cracking.

By proactively identifying and mitigating vulnerabilities, organizations can significantly reduce their exposure to AS-REP Roasting attacks.

PreviousIntroduction to Active DirectoryNextHunting for Kerberoasting Attacks

Last updated