Attack Technique 6: AS-REP Roasting
AS-REP Roasting Attack: Overview and Mitigation Strategies
Introduction
AS-REP Roasting is a specialized attack technique used to extract and crack password hashes from user accounts in Active Directory (AD) environments that have Kerberos pre-authentication disabled. This vulnerability allows attackers to capture sensitive information and potentially gain unauthorized access to network resources.
Attack Overview
Exploited Protocol: Kerberos Authentication (Windows Networks)
Targeted Accounts: User accounts with pre-authentication disabled
Attack Goal: Extract encrypted password hashes (AS-REP messages) for offline cracking
Kerberos Authentication Process (Standard Scenario)
User Sends AS-REQ: The user initiates authentication by sending an Authentication Server Request (AS-REQ) to the Domain Controller (DC).
Pre-Authentication with Timestamp: The request includes a timestamp encrypted with the user’s password hash, which ensures that the request is genuine and prevents replay attacks.
DC Verifies the Timestamp: If valid, the DC responds with an AS-REP message, which includes a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).
AS-REP Roasting Attack Execution
AS-REQ Without Pre-Authentication: If pre-authentication is disabled, the attacker can send an AS-REQ directly without providing a timestamp.
Capture AS-REP Message: The DC responds with an AS-REP message containing data encrypted with the user's password hash.
Offline Hash Cracking: The attacker extracts the encrypted password hash from the AS-REP and uses tools like Hashcat to perform offline brute-force attacks to recover the plaintext password.
Implications and Risks
Credential Theft: Attackers can extract and crack user passwords, gaining unauthorized access.
Privilege Escalation: Cracked credentials may belong to privileged accounts, allowing lateral movement within the network.
Stealth: The attack does not generate significant noise in logs, making detection difficult if not monitored properly.
Tools and Techniques to Perform an AS-REP Roasting Attack
Tool: Rubeus
Rubeus is a powerful tool designed for Kerberos-related attacks, including AS-REP Roasting.
Step 1: Identify Vulnerable Accounts
Command to list accounts without pre-authentication:
Step 2: Extract AS-REP Hashes
Command to extract AS-REP hashes in a Hashcat-compatible format:
The output is saved to
hashes.txt, ready for offline cracking.
Step 3: Crack Passwords with Hashcat
Use Hashcat to perform brute-force cracking of the AS-REP hashes:
Mode 18200 is specific to Kerberos AS-REP hashes.
The attacker can use wordlists or customized dictionaries for faster cracking.
Detection Methods for AS-REP Roasting
Proactive detection of AS-REP Roasting attacks involves monitoring specific event logs and analyzing changes in user account settings.
1. Monitoring Pre-Authentication Settings
Key event to monitor:
Event ID 4738:
Description: Triggered when a user account is modified.
Key Fields:
Security ID: ID of the account making changes.Account Name: Name of the modified account.Logon ID: Logon session where changes were made.
2. Analyzing Changes in Directory Service Objects
Event ID 5136:
Description: Logs changes to AD objects, including modifications to user accounts.
Key Fields:
Distinguished Name (DN): Identifies the modified object.LDAP Display Name: Indicates which attributes were changed (e.g.,DoesNotRequirePreAuth).
Indicators of Potential AS-REP Roasting:
Accounts with
DoesNotRequirePreAuthenabled.Sudden changes to user accounts’ Kerberos authentication settings.
High-volume AS-REQ traffic originating from unexpected sources.
Mitigation Techniques for AS-REP Roasting
To prevent AS-REP Roasting attacks, organizations should implement the following best practices:
1. Locate and Secure Vulnerable Accounts
Use PowerShell to identify accounts with pre-authentication disabled:
Action: Enable pre-authentication for all identified accounts.
2. Enforce Strong Password Policies
Complex Passwords: Require long, complex passwords for all accounts, particularly privileged ones.
Password Rotation: Regularly change passwords to reduce the effectiveness of cracked hashes.
3. Monitor Privileged Accounts and Pre-Auth Settings
Understand who has the ability to disable pre-authentication using this PowerShell query:
This query retrieves the Access Control List (ACL) for accounts with the
UF_DONT_REQUIRE_PREAUTHflag.
4. Implement Multi-Factor Authentication (MFA)
Adding MFA to accounts significantly reduces the risk of unauthorized access, even if passwords are compromised.
5. Regularly Audit and Monitor Account Changes
Implement SIEM solutions to analyze event logs and detect unusual patterns.
Set up alerts for Event IDs 4738 and 5136 to identify unauthorized account modifications.
Conclusion
The AS-REP Roasting attack exploits a misconfiguration in Active Directory environments, enabling attackers to extract and crack password hashes for offline use. By leveraging tools like Rubeus and Hashcat, adversaries can exploit accounts with disabled pre-authentication to gain unauthorized access and escalate privileges.
To defend against AS-REP Roasting, organizations must adopt a proactive security posture. This includes:
Enabling Kerberos pre-authentication for all user accounts.
Enforcing strong password policies.
Implementing robust monitoring and auditing practices.
By addressing these vulnerabilities, organizations can significantly enhance the security of their Active Directory environments and reduce the risk of credential theft.
Last updated
