search

AS-REP Roasting

circle-info

We need valid credentials or access to a domain joined machine for this attack

hashtag
Theory

A user can only receive its TGT & Session Key (AS-REP) after initially sending a timestamp hashed with their passwords (AS-REQ). This is called Kerberos Pre-Authentication.

By default preauthentication is enabled at the user level, but it can sometimes be deactivated, for example for some service accounts.

If Kerberos preauthentication is disabled we can request a TGT & key on the behalf of this user. Once we have received the TGT & key, we can attempt to crack the user hash with hashcat,

We can do this because the session key was encrypted by kerberos using the user hash, therefore hashcat can "extract-crack it".

hashtag
Attack from Kali Linux

This tool is already available in Kali

impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes.asreproast corp.com/pete

Requires the DC IP and at the end the domain name and the username of the user who will perform the roasting (we will be prompted for the password) since our kali isn't domain joined and we aren't authenticated.

It gives us the output listing user without preauthentication:

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
Name  MemberOf  PasswordLastSet             LastLogon                   UAC      
----  --------  --------------------------  --------------------------  --------
dave            2022-09-02 19:21:17.285464  2022-09-07 12:45:15.559299  0x410200

Then with this hashcat command we crack the hashes saved in hashes.asreproast:

This is how we found the right hashcat code for this attack:

hashtag
Attack from domain-joined Windows

Here it's easier since we're already authenticated:

Then we crack them the same way with hashcat.

Can be download here => https://github.com/r3motecontrol/Ghostpack-CompiledBinariesarrow-up-right

PreviousPassword SprayingNextKerberoasting

Last updated