{"id":166,"date":"2023-03-09T22:01:45","date_gmt":"2023-03-09T22:01:45","guid":{"rendered":"https:\/\/merrillnewman.tech\/?p=166"},"modified":"2023-03-09T22:09:42","modified_gmt":"2023-03-09T22:09:42","slug":"as-rep-roasting","status":"publish","type":"post","link":"https:\/\/merrillnewman.tech\/?p=166","title":{"rendered":"AS-REP Roasting"},"content":{"rendered":"\n

Overview<\/h3>\n\n\n\n

AS-REP roasting is a technique that enables us to steal the password hashes of accounts without Kerberos pre-authentication enabled. In this article I will show how to perform an AS-REP roast attack.<\/p>\n\n\n\n\n\n\n\n

Why AS-REP Roasting is Possible<\/h3>\n\n\n\n

Without getting into the weeds of the Kerberos authentication protocol the easiest way to think about it is this. When Kerberos pre-authentication is disabled for a user we are able to request authentication data for that user, since part of this data is encrypted using the users password we are able to brute force it offline.<\/p>\n\n\n\n

AS-REP Roasting With Impacket<\/h3>\n\n\n\n

We can use impacket-GetNPUsers<\/code>, which is installed by default on kali, to perform the attack. The basic syntax is as follows:<\/p>\n\n\n\n

impacket-GetNPUsers -dc-ip <IP> '<DOMAIN>\/' -request<\/code><\/pre>\n\n\n\n
\"\"
AS-REP roasting with Forest from HTB<\/figcaption><\/figure>\n\n\n\n
It’s worth noting that the DC will not always return all users for us like this, we may have to give it a list of users. In this case we would use a syntax like so.<\/p>\n\n\n\n
impacket-GetNPUsers -dc-ip <IP> '<DOMAIN>\/' -usersfile users.txt<\/code><\/pre>\n\n\n\n
\"\"
AS-REP roasting with user file<\/figcaption><\/figure>\n\n\n\n
Cracking The Hash With Hashcat<\/h3>\n\n\n\n
Once we have obtained the hash we can crack it offline with hashcat. The syntax for the command would look like so.<\/p>\n\n\n\n
hashcat -m 18200 hashes.krb \/usr\/share\/wordlists\/rockyou.txt --force\n<\/code><\/pre>\n\n\n\n
\"\"
Cracking the password with hashcat<\/figcaption><\/figure>\n\n\n\n
In this case the hash was able to be cracked easily with hashcat and rockyou, however it might not always be this easy to crack the hash.<\/p>\n\n\n\n
Remediation<\/h3>\n\n\n\n
The best way to protect yourself against this attack it to only disable Kerberos pre-authentication when it is absolutely necessary, other than this having a long and complex password that someone could not easily crack is also a way to remediate this.<\/p>\n","protected":false},"excerpt":{"rendered":"
Overview AS-REP roasting is a technique that enables us to steal the password hashes of accounts without Kerberos pre-authentication enabled. In this article I will show how to perform an AS-REP roast attack.<\/p>\n","protected":false},"author":1,"featured_media":170,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"hide_page_title":"","_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-166","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=166"}],"version-history":[{"count":4,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/166\/revisions"}],"predecessor-version":[{"id":175,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/166\/revisions\/175"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/media\/170"}],"wp:attachment":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}