KARIM ASHRAF SPACE.
  • Who Am I ?
  • WRITEUPS
    • What about Practice in Cyber Security?
    • Dark Side of VSCode
    • What about Cy-nix Machine?
    • Cyberdefenders Labs
      • Web Investigation Blue Team Lab
      • Red Stealer Blue Team Lab
      • WebStrike Blue Team Lab
      • BlueSky Ransomware Blue Team Lab
      • PsExec Hunt Blue Team Lab
      • OpenWire Blue Team Lab
      • 3CX Supply Chain Blue Team Lab
      • PoisonedCredentials Lab
      • Reveal Lab
    • Lets Defend
      • Incident Responder Path
        • Cybersecurity Incident Handling Guide
          • Introduction to Incident Handling
          • Incident Handling Steps
          • Preparation
          • Detection and Analysis
          • Containment, Eradication, and Recovery
          • Post-Incident Activity
        • Incident Response on Windows
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Free Tools That Can Be Used
          • Live Memory Analysis
          • Task Scheduler
          • Services
          • Registry Run Keys / Startup Folder
          • Files
          • Checklist
        • Incident Response on Linux
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Users and Groups
          • Processes
          • Files and File System
          • Mounts
          • Network
          • Service
          • Cron Job
          • SSH Authorized Keys
          • Bash_rc & Bash_profile
          • Useful Log Files
        • Hacked Web Server Analysis
          • Introduction to Hacked Web Server Analysis
          • Log Analysis on Web Servers
          • Attacks on Web Servers
          • Attacks Against Web Applications
          • Vulnerabilities on Servers
          • Vulnerabilities in Programming Language
          • Discovering the Web Shell
          • Hacked Web Server Analysis Example
        • Log Analysis with Sysmon
          • Introduction and Set Up of Sysmon
          • Detecting Mimikatz with Sysmon
          • Detecting Pass The Hash with Sysmon
          • Detecting Privilege Escalation with Sysmon
        • Forensic Acquisition and Triage
          • Introduction to Forensics Acquisition and Triage
          • Acquiring Memory Image From Windows and Linux
          • Custom Image Using FTK and Mounting Image for Analysis
          • KAPE Targets for Acquisition
          • KAPE Modules for Triage and Analysis
          • Triage Using FireEye Redline
          • Acquisition and Triage of Disks Using Autopsy
        • Memory Forensics
          • What is Memory Forensics
          • Memory Analysis Procedures
        • Registry Forensics
          • Introduction to Windows Registry Forensics
          • Acquiring Registry Hives
          • Regedit and Registry Explorer
          • System, Users and Network Information
          • Shellbags
          • Shimcache
          • Amcache
          • Recent Files
          • Dialogue Boxes MRU
        • Event Log Analysis
          • Introduction to Event Logs
          • Event Log Analysis
          • Authentication Event Logs
          • Windows Scheduled Tasks Event Logs
          • Windows Services Event Logs
          • Account Management Events
          • Event Log Manipulation
          • Windows Firewall Event Logs
          • Windows Defender Event Logs
          • Powershell Command Execution Event logs
        • Browser Forensics
          • Introduction to Browser Forensics
          • Acquisition
          • Browser Artifacts
          • Tool: BrowsingHistoryView
          • Manual Browser Analysis
          • Hindsight Framework
        • GTFOBins
          • Introduction to GTFOBins
          • Shell
          • Command
          • Reverse Shell
          • Bind Shell
          • File Upload
          • File Download
          • Sudo
        • Hunting AD Attacks
          • Introduction to Active Directory
          • Hunting AS-REP Roasting Attack
          • Hunting for Kerberoasting Attacks
          • Hunting for LDAP Enumerations (Bloodhound_Sharphound)
          • Hunting for NTDS Database Dumping
          • Hunting for Golden Ticket Attacks
          • Hunting for NTLM Relay Attacks
        • Writing a Report on Security Incident
          • Introduction to Technical Writing
          • Reporting Standards
          • Reporting Style
          • Report Formatting
          • Report Templates
        • How to Prepare a Cyber Crisis Management Pla
          • Introduction to Crisis Management
          • General Preparation
          • Tools
          • Backups
          • Alerts and End of Crisis
        • Advanced Event Log Analysis
          • Process Creation
          • DNS Activity
          • File/Folder Monitoring
          • BITS Client Event Log
          • Network Connections Event Log
          • MSI Event Logs
        • USB Forensics
          • Introduction to USB Forensics
          • USB Registry Key
          • USB Event Logs
          • Folder Access Analysis via Shellbags
          • File Access Analysis via Jumplists
          • Automated USB Parsers Tools
        • Windows Disk Forensics
          • SRUM Database
          • Jumplists
          • Recycle Bin Artifacts
          • RDP Cache
          • Thumbnail Cache
    • BTLO LABS
      • Bruteforce BTLO
    • The Complete Active Directory Security Handbook
      • Introduction
      • Active Directory
      • Attack Technique 1: Pass the Hash: Use of Alternate Authentication Material (T1550)
      • Attack Technique 2: Pass the Ticket: Use of Alternate Authentication Material (T1550)
      • Attack Technique 3: Kerberoasting
      • Attack Technique 4: Golden Ticket Attack
      • Attack Technique 5: DCShadow Attack
      • Attack Technique 6: AS-REP Roasting
      • Attack Technique 7: LDAP Injection Attack
      • Attack Technique 8: PetitPotam NTLM Relay Attack on a Active Directory Certificate Services (AD CS)
      • Conclusion & References
    • Windows Privilege Escalation
      • Tools
      • Windows Version and Configuration
      • User Enumeration
      • Network Enumeration
      • Antivirus Enumeration
      • Default Writeable Folders
      • EoP - Looting for passwords
      • EoP - Incorrect permissions in services
      • EoP - Windows Subsystem for Linux (WSL)
      • EoP - Unquoted Service Paths
      • EoP - $PATH Interception
      • EoP - Named Pipes
      • EoP - Kernel Exploitation
      • EoP - AlwaysInstallElevated
      • EoP - Insecure GUI apps
      • EoP - Evaluating Vulnerable Drivers
      • EoP - Printers
      • EoP - Runas
      • EoP - Abusing Shadow Copies
      • EoP - From local administrator to NT SYSTEM
      • EoP - Living Off The Land Binaries and Scripts
      • EoP - Impersonation Privileges
      • EoP - Privileged File Write
      • References
      • Practical Labs
    • Advanced Log Analysis
      • Key Windows Event IDs for Cybersecurity Monitoring
      • Analyzing a Series of Failed Login Attempts from Multiple IP Addresses
      • Steps to Investigate Suspicious Outbound Network Traffic
      • Identifying and Responding to Lateral Movement within a Network
      • Distinguishing Between Legitimate and Malicious PowerShell Executions
      • Detecting and Analyzing a Potential Data Exfiltration Incident Using Log Data
      • Steps to Analyze PowerShell Logging (Event ID 4104) for Malicious Activity
      • How to Identify an Internal Pivot Attack Using Log Data
      • Indicators in Logs Suggesting a Privilege Escalation Attack
      • How to Detect Command and Control (C2) Communication Using Log Analysis
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Detect the Use of Living-Off-the-Land Binaries (LOLBins) in Logs
      • How to Detect Malware Masquerading as a Legitimate Process Using Log Analysis
      • How to Detect and Analyze Lateral Movement Using Windows Event Logs
      • How to Detect Potential Ransomware Attacks in Their Early Stages Using Log Analysis
      • How to Detect and Analyze Privilege Escalation Using Windows Event Logs
      • How to Detect the Use of Mimikatz or Similar Tools in Log Data
      • How to Detect and Analyze DNS Tunneling Through Log Analysis
      • How to Detect a Pass-the-Hash (PtH) Attack Using Logs
      • How to Detect and Analyze an Attacker’s Use of a Remote Access Trojan (RAT) Using Log Data
      • How to Detect Lateral Movement Using Windows Event Logs
      • How to Detect and Investigate Data Exfiltration Using Logs
      • How to Identify and Analyze an Internal Phishing Campaign Using Email and System Logs
      • How to Detect and Analyze Ransomware Activity Using Logs
      • How to Detect Malicious PowerShell Activity Using Log Analysis
      • How to Detect and Respond to Brute-Force Attacks Using Log Data
      • How to Detect Privilege Escalation Attempts Using Windows Event Logs
      • How to Detect and Analyze Suspicious Domain Name Resolution Requests in DNS Logs
      • How to Detect and Respond to Unauthorized Access to Critical Files
      • How to Detect and Analyze Suspicious PowerShell Command Execution
      • How to Detect and Investigate Account Takeover (ATO) Attempts Using
      • How to Detect and Analyze the Use of Living Off the Land Binaries (LOLBins)
      • How to Detect and Investigate Lateral Movement
      • How to Detect and Investigate Data Exfiltration
      • How to Detect and Analyze Suspicious Activity Involving Service Accounts
      • How to Detect and Investigate Anomalous PowerShell Activity Related to Credential Dumping
      • How to Detect and Analyze the Execution of Unsigned or Malicious Executables
      • How to Detect and Investigate Abnormal Spikes in Network Traffic
    • Methods for Stealing Password in Browser
      • Important Tables and Columns
      • Important Queries
      • Profiles
      • Tools
        • HackBrowserData
        • Browser-password-stealer
        • BrowserPass
        • WebBrowserPassView
        • Infornito
        • Hindsight
        • BrowserFreak
        • BrowserStealer
    • Hack The Box Tracks
      • Soc Analyst Path 2024
        • 1. Incident Handling Process
          • Incident Handling Definition & Scope
          • Incident Handling's Value & Generic Notes
          • Cyber Kill Chain
          • Incident Handling Process Overview
          • Preparation Stage (Part 1)
          • Preparation Stage (Part 2)
          • DMARC
          • Endpoint Hardening (& EDR)
          • Network Protection
          • Privilege Identity Management / MFA / Passwords
          • Vulnerability Scanning
          • User Awareness Training
          • Active Directory Security Assessment
          • Purple Team Exercises
          • Detection & Analysis Stage (Part 1)
          • Initial Investigation
          • Incident Severity & Extent Questions
          • Incident Confidentiality & Communication
          • Detection & Analysis Stage (Part 2)
          • The Investigation
          • Initial Investigation Data
          • Creation & Usage Of IOCs
          • Identification Of New Leads & Impacted Systems
          • Data Collection & Analysis From The New Leads & Impacted Systems
          • Containment
          • Eradication
          • Recovery
          • Post-Incident Activity Stage
          • Reporting
        • 2. Security Monitoring & SIEM Fundamentals
          • What Is SIEM?
          • The Evolution Of SIEM And How It Works
          • SIEM Business Requirements & Use Cases Log Aggregation & Normalization
          • Data Flows Within A SIEM
          • What Are The Benefits Of Using A SIEM Solution
          • What Is the Elastic Stack?
          • The Elastic Stack As A SIEM Solution
          • How To Identify The Available Data
          • The Elastic Common Schema (ECS)
          • SOC Definition & Fundamentals
          • Evolution of Security Operations Centers (SOCs)
          • What Is MITRE ATT&CK?
          • What Is A SIEM Use Case?
          • How To Build SIEM Use Cases
          • SIEM Visualization Example 1: Failed Logon Attempts (All Users)
          • SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)
          • SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts
          • SIEM Visualization Example 4: Users Added or Removed from a Local Group
          • What Is Alert Triaging?
  • COURSES SUMMARY
    • TCM SEC
      • TCM linux Privilege Escalation
      • TCM OSINT
    • The SecOps Group
      • Certified AppSec Practitioner exam
      • CNSP Review
    • Cybrary
      • Cybrary Offensive Pentesting
  • TIPS&TRICKS
    • Windows Shorcuts Arrow Remover
    • Kali KEX
    • Intel TurboBoost
    • Pentest_Copilot
    • Ferdium
    • Youtube Adblock_Bybass
    • Burb-Bambdas
    • Burb Customizer
    • BetterFox
Powered by GitBook
On this page
  • AS-REP Roasting Attack: Overview and Mitigation Strategies
  • Introduction
  • Attack Overview
  • Kerberos Authentication Process (Standard Scenario)
  • AS-REP Roasting Attack Execution
  • Implications and Risks
  • Tools and Techniques to Perform an AS-REP Roasting Attack
  • Detection Methods for AS-REP Roasting
  • 1. Monitoring Pre-Authentication Settings
  • 2. Analyzing Changes in Directory Service Objects
  • Mitigation Techniques for AS-REP Roasting
  • 1. Locate and Secure Vulnerable Accounts
  • 2. Enforce Strong Password Policies
  • 3. Monitor Privileged Accounts and Pre-Auth Settings
  • 4. Implement Multi-Factor Authentication (MFA)
  • 5. Regularly Audit and Monitor Account Changes
  • Conclusion
  1. WRITEUPS
  2. The Complete Active Directory Security Handbook

Attack Technique 6: AS-REP Roasting

AS-REP Roasting Attack: Overview and Mitigation Strategies

Introduction

AS-REP Roasting is a specialized attack technique used to extract and crack password hashes from user accounts in Active Directory (AD) environments that have Kerberos pre-authentication disabled. This vulnerability allows attackers to capture sensitive information and potentially gain unauthorized access to network resources.

Attack Overview

  1. Exploited Protocol: Kerberos Authentication (Windows Networks)

  2. Targeted Accounts: User accounts with pre-authentication disabled

  3. Attack Goal: Extract encrypted password hashes (AS-REP messages) for offline cracking

Kerberos Authentication Process (Standard Scenario)

  1. User Sends AS-REQ: The user initiates authentication by sending an Authentication Server Request (AS-REQ) to the Domain Controller (DC).

  2. Pre-Authentication with Timestamp: The request includes a timestamp encrypted with the user’s password hash, which ensures that the request is genuine and prevents replay attacks.

  3. DC Verifies the Timestamp: If valid, the DC responds with an AS-REP message, which includes a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).

AS-REP Roasting Attack Execution

  1. AS-REQ Without Pre-Authentication: If pre-authentication is disabled, the attacker can send an AS-REQ directly without providing a timestamp.

  2. Capture AS-REP Message: The DC responds with an AS-REP message containing data encrypted with the user's password hash.

  3. Offline Hash Cracking: The attacker extracts the encrypted password hash from the AS-REP and uses tools like Hashcat to perform offline brute-force attacks to recover the plaintext password.

Implications and Risks

  • Credential Theft: Attackers can extract and crack user passwords, gaining unauthorized access.

  • Privilege Escalation: Cracked credentials may belong to privileged accounts, allowing lateral movement within the network.

  • Stealth: The attack does not generate significant noise in logs, making detection difficult if not monitored properly.

Tools and Techniques to Perform an AS-REP Roasting Attack

Tool: Rubeus

Rubeus is a powerful tool designed for Kerberos-related attacks, including AS-REP Roasting.

Step 1: Identify Vulnerable Accounts

Command to list accounts without pre-authentication:

Rubeus.exe asreproast

Step 2: Extract AS-REP Hashes

Command to extract AS-REP hashes in a Hashcat-compatible format:

Rubeus.exe asreproast /format:hashcat /outfile:C:\Temp\hashes.txt

  • The output is saved to hashes.txt, ready for offline cracking.

Step 3: Crack Passwords with Hashcat

Use Hashcat to perform brute-force cracking of the AS-REP hashes:

hashcat64.exe -m 18200 C:\Temp\hashes.txt dictionary.dict

  • Mode 18200 is specific to Kerberos AS-REP hashes.

  • The attacker can use wordlists or customized dictionaries for faster cracking.

Detection Methods for AS-REP Roasting

Proactive detection of AS-REP Roasting attacks involves monitoring specific event logs and analyzing changes in user account settings.

1. Monitoring Pre-Authentication Settings

Key event to monitor:

  • Event ID 4738:

    • Description: Triggered when a user account is modified.

    • Key Fields:

      • Security ID: ID of the account making changes.

      • Account Name: Name of the modified account.

      • Logon ID: Logon session where changes were made.

2. Analyzing Changes in Directory Service Objects

  • Event ID 5136:

    • Description: Logs changes to AD objects, including modifications to user accounts.

    • Key Fields:

      • Distinguished Name (DN): Identifies the modified object.

      • LDAP Display Name: Indicates which attributes were changed (e.g., DoesNotRequirePreAuth).

Indicators of Potential AS-REP Roasting:

  • Accounts with DoesNotRequirePreAuth enabled.

  • Sudden changes to user accounts’ Kerberos authentication settings.

  • High-volume AS-REQ traffic originating from unexpected sources.

Mitigation Techniques for AS-REP Roasting

To prevent AS-REP Roasting attacks, organizations should implement the following best practices:

1. Locate and Secure Vulnerable Accounts

Use PowerShell to identify accounts with pre-authentication disabled:

Get-ADUser -Filter * -Properties DoesNotRequirePreAuth | 
Where-Object {$_.DoesNotRequirePreAuth -eq $True -and $_.Enabled -eq $True} | 
Select-Object SamAccountName, DoesNotRequirePreAuth | 
Sort-Object SamAccountName

  • Action: Enable pre-authentication for all identified accounts.

2. Enforce Strong Password Policies

  • Complex Passwords: Require long, complex passwords for all accounts, particularly privileged ones.

  • Password Rotation: Regularly change passwords to reduce the effectiveness of cracked hashes.

3. Monitor Privileged Accounts and Pre-Auth Settings

Understand who has the ability to disable pre-authentication using this PowerShell query:

(Get-ACL "AD:\$((Get-ADUser -Filter 'useraccountcontrol -band 4194304').distinguishedname)").access

  • This query retrieves the Access Control List (ACL) for accounts with the UF_DONT_REQUIRE_PREAUTH flag.

4. Implement Multi-Factor Authentication (MFA)

Adding MFA to accounts significantly reduces the risk of unauthorized access, even if passwords are compromised.

5. Regularly Audit and Monitor Account Changes

  • Implement SIEM solutions to analyze event logs and detect unusual patterns.

  • Set up alerts for Event IDs 4738 and 5136 to identify unauthorized account modifications.

Conclusion

The AS-REP Roasting attack exploits a misconfiguration in Active Directory environments, enabling attackers to extract and crack password hashes for offline use. By leveraging tools like Rubeus and Hashcat, adversaries can exploit accounts with disabled pre-authentication to gain unauthorized access and escalate privileges.

To defend against AS-REP Roasting, organizations must adopt a proactive security posture. This includes:

  • Enabling Kerberos pre-authentication for all user accounts.

  • Enforcing strong password policies.

  • Implementing robust monitoring and auditing practices.

By addressing these vulnerabilities, organizations can significantly enhance the security of their Active Directory environments and reduce the risk of credential theft.

PreviousAttack Technique 5: DCShadow AttackNextAttack Technique 7: LDAP Injection Attack

Last updated 5 months ago