In this blog post we will look at how to perform AS-REP roasting in two different ways, how to use hashcat to crack a krbasrep5 hashes, and how to mitigate this type of attack.
During kerberos pre-authentication, a user’s NTID is used to encrypt a timestamp and then the domain controller will attempt to decrypt it to validate that the right password was used. However, If a user has pre-authentication disabled, an attacker can request any authentication data for any user and the KDC will return an encrypted TGT that can be cracked offline. When pre-authentication is disabled, the KDC skips the step of validating that the user is really who they say they are and returns an encrypted TGT out of “trust”.
AS-REP Roasting is a technique used by attackers to dump the krbasrep5 hash of user accounts that have Kerberos pre-authentication disabled. Unlike Kerberoasting, these users do not have to be service accounts.
Generally, the only requirement to perform AS-REP Roasting remotely is to have a valid username of the user that has pre-authentication disabled. However, we will see that this is not always the case and that there are times where you may be able to request the TGT with only knowing the name of the domain and the IP of the domain controller.
Rubeus is a tool that can be used to dump the krbasrep5 hash of any AS-REP roastable users in the domain.
You can find a copy of rubeus.exe here, but you will need to compile the executable yourself. Luckily, there is a compiled version that you can find here.
Rubeus is a very powerful tool and it is definitely worth going over to the GitHub page (using the first link above) to check out all the ways you can use this tool to abuse kerberos.
When it comes to AS-REP roasting, Rubeus is the easiest tool to use because it automatically finds AS-REP Roastable users; however, the only downside is that Rubeus requires a foothold where GetNPUsers.py does NOT.
After gaining a foothold on the victim and downloading rubeus.exe, you can use the following command to search for all vulnerable users (users with pre-authentication disabled) and dump their hashes:
Since this type of hash cannot be passed, we will need to crack it.
To learn more about pass-the-hash attacks, check out my post on topic here.
Copy and paste the hashes found into a text file on the attacker machine called asrep_hashes.txt (or whatever you want to call it).
When you copy + paste this hash into a txt file, it will have new lines for each line seen above. If you try to crack this hash as is, it will not work as it is not in the proper format for hashcat. You can use some linux-fu to clean this up or just simply remove all the new lines manually. Regardless of how you do it, the key is to have this hash in a txt file as one continuous string so that it can be cracked using hashcat.
Now that we have pasted the hashes into our asrep_hashes.txt file and cleaned it up, we can use hashcat’s help menu to help us find the cracking mode needed to crack this type of hash. Using the following command, we find the cracking mode is 18200 for this hash type:
hashcat -h | grep -i "AS-REP"
Then, we can use the cracking mode we found to begin cracking the password like so:
hashcat -m 18200 ./asrep_hashes.txt /usr/share/wordlists/rockyou.txt -o cracked_asrep.txt
But it fails!!
However, by adding the best64 rule to the above command, we are able to successfully crack the password!
hashcat -m 18200 ./asrep_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule -o cracked_asrep.txt
vcreed : Dfaster1!23
The lesson here is not to rely too heavily on just rockyou.txt. It is not the be-all-end-all solution so try adding rules or try different wordlists if rockyou doesn’t have the password.
The GetNPUsers.py script is part of the Impacket Suite of Tools, which is an excellent collection that all hackers NEED to have in their tool belt.
For this example we will only be using the GetNPUsers.py script but make sure to check out the other scripts that come in the suite as there are just SO many good ones in there.
To use GetNPUsers.py, you have to enumerate the users beforehand and find which users may be AS-REP roastable (do NOT have pre-auth). You can enumerate AS-REP roastable users using a tool called kerbrute by either supplying a list of usernames found while enumerating or by brute-forcing with a decent username wordlist.
There are many ways to enumerate user accounts in the domain; however, each technique depends on specific ports being open and on the level of access you have on the system. As an simple example, you may be able to enumerate all the users on the system if NULL access is permitted on the SMB/RPC services (specifically RPC for user enumeration). With NULL access available on both services, you can use a tool called enum4linux to enumerate all the users in the domain.
Whether you have crafted your own user list or you are trying to brute force usernames, the command to use kerbrute is the same. The goal when using kerbrute is to find a user that has ‘NOT PREAUTH’ next to their name, which means they are AS-REP roastable.
As an example, lets say we have three domain joined machines: 172.16.1.5, 172.16.1.100, and 172.16.1.200. After running an nbtscan against the machines, we notice the NetBIOS name of the host machines looks interesting.
For this example we need to make a file with each IP address in it. After that, we can use the following command to run an nbtscan against each IP:
nbtscan -r -f ip_addresses.txt
We see that the names of the host machines are vcreed and efrost, which looks like they could be usernames.
Its common for companies to name their host machines using the username of the user who is assigned that machine. This can lead to easy account enumeration for an attacker!
Next, we need to take both of the potential usernames and begin crafting our usernames.txt file with them.
During enumeration it is important to start crafting a usernames.txt file and a passwords.txt file with any usernames and passwords you find. Password reuse is a common issue so its always good to test any passwords you find anywhere you can.
After adding the usernames to the txt file, we can confirm if these are actually accounts in the domain using a tool called kerbrute. Also, if we happen to get lucky, we may find that one of the users have NOT PREAUTH next to their name. This would indicate that the user is AS-REP roastable.
kerbrute -users ./usernames.txt -dc-ip 172.16.1.5 -domain juggernaut.local
Here we see that both users do exist in the domain. Even more importantly, we find that the user vcreed has ‘NOT PREAUTH’ next to his name in the kerbrute output.
Finding that vcreed is AS-REP roastable, we can use GetNPUsers.py to roast him with the following command:
GetNPUsers.py juggernaut.local/vcreed -dc-ip 172.16.1.5 -no-pass
After requesting the ticket and dumping the krbasrep5 hash of vcreed, we can proceed to crack the hash using hashcat the same way we did in the Rubeus example.
When using GetNPUsers.py, the hash is dumped in a format ready to use in hashcat. You can simply copy and paste the hash into a txt file and then begin cracking with no linux-fu needed to remove new-lines.
In some rare cases, you may get really lucky and find a user with pre-authentication disabled without having a valid username to pass into the command. All you need to have to test for this is the IP of the domain controller and the name of the domain, like so:
GetNPUsers.py juggernaut.local/ -dc-ip 172.16.1.5
If this works, you will see the username of the user who has pre-authentication disabled and then you can request their hash by adding the -request flag:
GetNPUsers.py juggernaut.local/ -dc-ip 172.16.1.5 -request
- Enable pre-authentication: Make sure all users have pre-authentication enabled (it is enabled by default).
On the domain controller, go to Sever Manager > Tools > Active Directory Users and Computers > Users and then select the user that has pre-authentication disabled and then Right-Click > Account and scroll down to the bottom of Account Options and make sure the Do not require Kerberos preauthentication box is unchecked.
Here we can see user vcreed has pre-authentication disabled, which was confirmed earlier using kerbrute.
However, simply unchecking the box will make pre-authentication enabled. By default, Windows has this box unchecked so that users require pre-authentication.