While looking at Pass-the-Ticket we explored a tool Rubeus by Harmj0y which can be used to experiment with Kerberos security in Active Directory and explore various attack vectors.  One of the areas I found interesting when testing Rubeus was the different password cracking options it made available.  This includes two primary methods: Kerberoasting and AS-REP Roasting.  The most frightening part of both of these techniques is that they can be performed without any special privileges on the domain, making them a prime privilege escalation path for attackers. 

We’ve covered Kerberoasting in the past, and while Rubeus does provide some very clever and convenient ways to test out Kerberoasting security I will save that for a future post.  In this post I am going to focus on the AS-REP roasting functionality. 

What is AS-REP Roasting?

AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication.  This is explained in pretty thorough detail in Harmj0y’s post here, so I’ll focus on summarizing it.  Pre-authentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks. 

During preauthentication, a user will enter their password which will be used to encrypt a timestamp and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying a previous request.  From there, the TGT will be issued for the user to use for future authentication.  If preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an encrypted TGT that can be brute-forced offline. 

Luckily, preauthentication is required by default in Active Directory.  However, this can be controlled by a user account control setting on every user account, seen here:

Performing AS-REP Roasting with Rubeus

Using Rubeus, you can easily perform AS-REP roasting to evaluate how this attack could work in your environment.  To do so you just need to use the following command:

Rubeus.exe asreproast

This will automatically find all accounts that do not require preauthentication and extract the encrypted TGT data required for offline cracking, as shown here:

Now that we have this working let’s take it one step further and extract the data in a format that can be cracked offline by Hashcat which can perform fast brute force password cracking against hashes such as this.

To do that we will use this command:

Rubeus.exe asreproast /format:hashcat /outfile:C:Temphashes.txt

Which will output the AS-REP hash information to a text file.  From my Commando VM, it’s straightforward to use Hashcat to crack this file.  The one useful piece of information I did have to find is the right hash-mode code to use for AS-REP hashes, which I found here under “Kerberos 5 AS-REP etype 23”. 

Then I just need to provide a command specifying this value, the hash file, and a dictionary to use to perform the brute-force password guessing:

hashcat64.exe -m 18200 c:Temphash.txt example.dict

And that’s it!  There you can see a simple way to crack any user accounts that do not require preauthentication with no special privileges required.

Protections from AS-REP Roasting

Identify Accounts that Do Not Require Preauthentication

The obvious protections from this type of attack are to find and remove any instances of user accounts that are set to not require Kerberos preauthentication.  You can do that with a simple script:

 Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Running that you can see I identify the one user I set up for this test case from above.

Password Strength

Another strong protection from this type of attack is to leverage long, complex passwords that will not be found in breached password dictionaries.  Using fine-grained password policies especially for privileged accounts is a great first step.  For additional protection against commonly breached passwords you can look at Enterprise Password Enforcer.

AD Privileges

It’s also important to understand what users have privileges to your AD user accounts and can enable this UAC value, as it can be enabled for just enough time to obtain the AS-REP hash, and then turned off again. 

This query will bring back all access rights for user accounts which do not require preauthentication:

(Get-ACL "AD:$((Get-ADUser -Filter 'useraccountcontrol -band 4194304').distinguishedname)").access

For a more detailed analysis on these vulnerable permissions you can check out Permissions Analyzer.

Change Monitoring

Beyond knowing what users could do this, you should also monitor for these types of changes.  To look for users changing UAC values in your environment you can check out event 4738 looking for changes to the User Account Control ‘Don’t Require Preauth’ value. 

You can also monitor event ID 5136 for this.

You can also use StealthINTERCEPT to block unwanted changes to Active Directory. 

So in summary, AS-REP cracking can be a very effective technique but should be easily preventable as long as you identify your vulnerabilities and implement these mitigations and monitor for signs of compromise.