While looking at Pass-the-Ticket we explored a tool Rubeus by Harmj0y which can be used to experiment with Kerberos security in Active Directory and explore various attack vectors. One of the areas I found interesting when testing Rubeus was the different password cracking options it made available. This includes two primary methods: Kerberoasting and AS-REP Roasting. The most frightening part of both of these techniques is that they can be performed without any special privileges on the domain, making them a prime privilege escalation path for attackers.
We’ve covered Kerberoasting in the past, and while Rubeus does provide some very clever and convenient ways to test out Kerberoasting security I will save that for a future post. In this post I am going to focus on the AS-REP roasting functionality.
What is AS-REP Roasting?
AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication. This is explained in pretty thorough detail in Harmj0y’s post here, so I’ll focus on summarizing it. Pre-authentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.
During preauthentication, a user will enter their password which will be used to encrypt a timestamp and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying a previous request. From there, the TGT will be issued for the user to use for future authentication. If preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an encrypted TGT that can be brute-forced offline.
Luckily, preauthentication is required by default in Active Directory. However, this can be controlled by a user account control setting on every user account, seen here:
Performing AS-REP Roasting with Rubeus
Using Rubeus, you can easily perform AS-REP roasting to evaluate how this attack could work in your environment. To do so you just need to use the following command:
This will automatically find all accounts that do not require preauthentication and extract the encrypted TGT data required for offline cracking, as shown here:
Now that we have this working let’s take it one step further and extract the data in a format that can be cracked offline by Hashcat which can perform fast brute force password cracking against hashes such as this.
To do that we will use this command:
Rubeus.exe asreproast /format:hashcat /outfile:C:\Temp\hashes.txt
Which will output the AS-REP hash information to a text file. From my Commando VM, it’s straightforward to use Hashcat to crack this file. The one useful piece of information I did have to find is the right hash-mode code to use for AS-REP hashes, which I found here under “Kerberos 5 AS-REP etype 23”.
Then I just need to provide a command specifying this value, the hash file, and a dictionary to use to perform the brute-force password guessing:
hashcat64.exe -m 18200 c:\Temp\hash.txt example.dict
And that’s it! There you can see a simple way to crack any user accounts that do not require preauthentication with no special privileges required.
Protections from AS-REP Roasting
Identify Accounts that Do Not Require Preauthentication
The obvious protections from this type of attack are to find and remove any instances of user accounts that are set to not require Kerberos preauthentication. You can do that with a simple script:
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
Running that you can see I identify the one user I set up for this test case from above.
Another strong protection from this type of attack is to leverage long, complex passwords that will not be found in breached password dictionaries. Using fine-grained password policies especially for privileged accounts is a great first step. For additional protection against commonly breached passwords you can look at Enterprise Password Enforcer.
It’s also important to understand what users have privileges to your AD user accounts and can enable this UAC value, as it can be enabled for just enough time to obtain the AS-REP hash, and then turned off again.
This query will bring back all access rights for user accounts which do not require preauthentication:
(Get-ACL "AD:$((Get-ADUser -Filter 'useraccountcontrol -band 4194304').distinguishedname)").access
For a more detailed analysis on these vulnerable permissions you can check out Permissions Analyzer.
Beyond knowing what users could do this, you should also monitor for these types of changes. To look for users changing UAC values in your environment you can check out event 4738 looking for changes to the User Account Control ‘Don’t Require Preauth’ value.
You can also monitor event ID 5136 for this.
You can also use StealthINTERCEPT to block unwanted changes to Active Directory.
So in summary, AS-REP cracking can be a very effective technique but should be easily preventable as long as you identify your vulnerabilities and implement these mitigations and monitor for signs of compromise.
Jeff Warren is STEALTHbits’ General Manager, Products. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.