Understanding authentication attacks is crucial for securing modern networks. One technique targeting the widely used Kerberos protocol is known as AS-REP Roasting. This attack exploits a specific configuration vulnerability in Active Directory environments.
At its heart, AS-REP Roasting focuses on users who are configured not to require Kerberos pre-authentication. Normally, when a user requests a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC), they must prove their identity by encrypting a timestamp with their password hash. This step, pre-authentication, prevents attackers from simply requesting TGTs for any user and getting a response encrypted with a potentially weak password hash.
However, if a user account is configured with the ‘Do not require Kerberos preauthentication’ flag set, the KDC behaves differently. When an attacker, without knowing the user’s password, sends an Authentication Service (AS) request for such a user, the KDC does not challenge the request with pre-authentication. Instead, it immediately returns an AS-REP response. Crucially, this AS-REP response contains information encrypted using the target user’s password hash.
The attacker’s objective is to capture this encrypted AS-REP message. Once captured, they can take it offline and attempt to crack it using tools designed for password cracking, such as Hashcat or John the Ripper. Since the encryption key is the user’s password hash, successfully decrypting the AS-REP effectively reveals the user’s password. This is a form of offline password cracking, which can be highly effective if the target user has a weak or common password.
The attack typically involves enumerating user accounts within a domain and identifying those with the vulnerable ‘Do not require Kerberos preauthentication’ flag enabled. Tools like Rubeus are often used to automate the process of requesting the AS-REP and extracting the hash in a crackable format. The security risk is significant because the attacker doesn’t need any privileged access or even network adjacency to the target user’s machine; they only need to communicate with the domain controller.
Mitigating AS-REP Roasting is straightforward but requires diligence. The primary defense is to ensure that all user accounts require Kerberos pre-authentication. This is the default setting for new user accounts in Active Directory, but it may be disabled for compatibility reasons or misconfiguration. Regularly auditing user account settings to identify and correct any instances where pre-authentication is disabled is vital. Additionally, implementing strong password policies makes the offline cracking of captured AS-REP hashes significantly more difficult, even if an attacker manages to obtain one. Security monitoring for suspicious AS requests targeting accounts without pre-authentication can also help detect attempted attacks.
Source: https://www.bleepingcomputer.com/news/security/kerberos-as-rep-roasting-attacks-what-you-need-to-know/
