AS-REP Roast (Kerberoasting)

The AS-REP Roasting attack, also known as Kerberoasting, is a type of attack that targets the Kerberos authentication protocol, commonly used in Active Directory environments. The attack allows an attacker to extract encrypted Kerberos Ticket Granting Ticket (TGT) for user accounts with Kerberos pre-authentication disabled, which includes service accounts. The goal is to extract these TGTs and attempt to crack the password offline to gain unauthorized access to the user's account.

Here's how the attack works:

  1. Kerberos Authentication: In a Windows Active Directory environment, users and services authenticate using the Kerberos protocol. When a user logs in, their credentials are sent to the Key Distribution Center (KDC), and they receive a TGT, which serves as a ticket to request service tickets to access various resources within the network.

  2. Pre-Authentication: By default, user accounts in Active Directory use pre-authentication. In this process, the user's password is encrypted with a timestamp and sent to the KDC. The KDC verifies the password's correctness before issuing the TGT. If pre-authentication is disabled for an account, the password is not validated during the initial TGT request.

  3. AS-REP Roasting Attack: An attacker can use the Kerberoasting attack when pre-authentication is disabled for a user account. The attacker requests a TGT for a specific user account from the KDC without providing the pre-authentication data. The KDC responds with the encrypted TGT.

  4. Offline Cracking: Once the attacker obtains the encrypted TGT, they can now perform an offline brute-force attack to crack the user's password. Since the TGT is encrypted with the user's password hash, the attacker can use various password-cracking tools and techniques to try to recover the plaintext password.

  5. Privilege Escalation: If the attacker successfully cracks the password, they can now impersonate the user and access resources and services within the network to which the user has permissions.

Find Users that don't use Pre-Authentication and fetch TGT

impacket-GetNPUsers -request -dc-ip 10.10.10.161 htb.local/

# OR, If we know the username:
impacket-GetNPUsers -dc-ip 10.10.10.161 htb.local/svc-alfresco -no-pass

Crack the TGT hash using John

john hash --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt

Last updated