Hacking Active Directory with AS-REP Roasting
Introduction
AS-REP Roasting is an attack that exploits a weakness in the Kerberos authentication protocol. Specifically, it targets the AS-REP (Authentication Server Response) message used during the initial authentication process when a user logs into a Kerberos-protected network.
During the AS-REP Roasting attack, an attacker captures a valid AS-REP message from the Kerberos authentication server, typically sent when a user logs into the network. The attacker then uses brute-force techniques to crack the encryption to protect the AS-REP message.
Once the attacker has successfully decrypted the AS-REP message, they can obtain the user’s password hash, which can be used to launch further attacks against the network. With the password hash in hand, the attacker can attempt to crack the hash using tools such as John the Ripper or Hash Cat, which can often reveal the plaintext password.
Throughout this project, I adhered to ethical standards and never engaged in any illegal or malicious activities. However, as a cybersecurity enthusiast, learning about potential vulnerabilities and attack vectors is crucial to better protect against them.
Disclaimer:
All information, techniques, and tools described in this write-up are for educational purposes only. Use anything in this write-up at your discretion; I cannot be held responsible for any damages caused to any systems or yourselves legally. Using all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. You must obey all applicable local, state, and federal laws. I accept no liability and will not be responsible for any misuse or damage caused by using the information herein.
Creating Users
In a Domain Controller, open Windows Server Manager.
Click on Tools → Active Directory Users and Computers.
Expand Local Domain (MARVEL.local).
Click Users.
Right-click Users → click New → click User.
Giver new User a First/Last name and a User logon name.
In my case, I gave the user the following:
First name: Peter
Lastname: Parker
User logon name: pparker
Click Next.
Give the new User a password.
Password: Password1234
Uncheck User must change password at next logon.
Click Next.
Click Finish.
The new user account, Peter Parker, has been successfully created.
Go to Peter Parker Properties by double-clicking on Peter Parker.
In Peter Parker Properties, click Account.
Kerberos preauthentication is enabled by default.
In the Account options, check Do not require Kerberos preauthentication.
Click Apply → OK.
This will simulate a misconfiguration since it’s highly recommended not to disable Kerberos preauthentication. With Kerberos preauthentication disabled, we’re more vulnerable to AS-REP Roasting. In some cases, it may be necessary to disable it to integrate with specific applications or whatever the cause might be. Still, for the most part, there’s no reason to disable Kerberos preauthenticaiton.
Performing AS-REP Roasting
When performing AS-REP Roasting, you must have a list of usernames or know the target’s username. So, using a tool called GetNPUsers.py through Impacket allows us to acquire domain users who have a “Do not require Kerberos preauthentication” set and ask for the ticket-granting tickets (TGT) without knowing their passwords.
The TGT contains information that the client can use to request additional tickets from the ticket-granting server (TGS), which is used to authenticate the client to specific network services. You can then try to crack the session key sent along with the ticket to retrieve the user password.
Open Kali Linux terminal.
The command format: GetNPUsers.py local domain name/user logon name -dc-ip ip address of the domain controller.
For example, type GetNPUsers.py MARVEL.local/pparker -dc-ip 10.60.0.9
Click Enter.
Enter Kali’s host password.
Click Enter.
An encrypted TGT hash is generated.
To crack it, I first highlighted the hash.
Then right-click → Copy Selection.
Open a new file by typing vim tgt
Right-click → click Paste Selection.
I pasted the hash in the tgt file.
To exit the file, click Ctrl + Copy → type :wq → click Enter.
Type sudo john tgt.
Enter Kali’s host password.
I attempted to Brute Force, but because of the lengthy process, I aborted and used John the Ripper since I already knew the password.
To abort the session, click Ctrl + C.
Open a new password file: Type vim thepass.txt
Type the password: Password1234.
To exit the file, click Ctrl + Copy → type :wq → click Enter.
Run John the Ripper
Type sudo john tgt --wordlist=thepass.txt
The password was cracked!!!
Password1234
Conclusion
To protect against AS-REP Roasting attacks, the first step is to ensure that all your accounts within your environment have Kerberos Pre-authentication enabled, usually enabled by default.
Also, organizations can implement security measures such as more robust password policies, multi-factor authentication, and limiting the number of failed login attempts. Additionally, network administrators should monitor network traffic for suspicious activity, such as repeated failed login attempts from the same IP address.
