Overview
AS-REP roasting is a technique that enables us to steal the password hashes of accounts without Kerberos pre-authentication enabled. In this article I will show how to perform an AS-REP roast attack.
Why AS-REP Roasting is Possible
Without getting into the weeds of the Kerberos authentication protocol the easiest way to think about it is this. When Kerberos pre-authentication is disabled for a user we are able to request authentication data for that user, since part of this data is encrypted using the users password we are able to brute force it offline.
AS-REP Roasting With Impacket
We can use impacket-GetNPUsers, which is installed by default on kali, to perform the attack. The basic syntax is as follows:
impacket-GetNPUsers -dc-ip <IP> '<DOMAIN>/' -request
It’s worth noting that the DC will not always return all users for us like this, we may have to give it a list of users. In this case we would use a syntax like so.
impacket-GetNPUsers -dc-ip <IP> '<DOMAIN>/' -usersfile users.txt
Cracking The Hash With Hashcat
Once we have obtained the hash we can crack it offline with hashcat. The syntax for the command would look like so.
hashcat -m 18200 hashes.krb /usr/share/wordlists/rockyou.txt --force
In this case the hash was able to be cracked easily with hashcat and rockyou, however it might not always be this easy to crack the hash.
Remediation
The best way to protect yourself against this attack it to only disable Kerberos pre-authentication when it is absolutely necessary, other than this having a long and complex password that someone could not easily crack is also a way to remediate this.