Kerberoasting and AS-REP Roasting

Kerberoasting and AS-REP roasting are post-exploitation attacks that target the Kerberos authentication protocol in Active Directory environments. Both attacks aim to obtain password hashes of user accounts that can be cracked offline, bypassing account lockout policies and logging mechanisms. The PT0-002 exam covers these attacks under Objective 3.4 (Exploit weaknesses in authentication systems) and expects you to understand the protocol flow, tool usage, and mitigation strategies.

Kerberoasting specifically targets service accounts that have a Service Principal Name (SPN) registered in Active Directory. Any domain user can request a Kerberos service ticket (TGS) for any SPN, and the ticket is encrypted with the service account's NTLM hash. The attacker extracts this encrypted ticket and performs offline brute-force to recover the plaintext password. AS-REP roasting targets user accounts that have the 'Do not require Kerberos pre-authentication' flag set. For these accounts, an attacker can request an authentication response (AS-REP) without providing any credentials, and the response contains encrypted data using the user's NTLM hash, which can be cracked offline.

To understand these attacks, you must first understand the Kerberos ticket-granting process. Kerberos uses three main messages: - AS-REQ (Authentication Service Request): Client sends username to KDC (Key Distribution Center, which is the Domain Controller). - AS-REP (Authentication Service Reply): KDC responds with a TGT (Ticket-Granting Ticket) encrypted with the user's NTLM hash. - TGS-REQ (Ticket-Granting Service Request): Client sends TGT and requests a service ticket for a specific SPN. - TGS-REP (Ticket-Granting Service Reply): KDC sends a service ticket encrypted with the target service account's NTLM hash.

In Kerberoasting, the attacker skips the AS-REQ/AS-REP phase (they already have a valid TGT) and directly requests TGS tickets for SPNs of interest. The TGS-REP contains a service ticket that includes a portion encrypted with the service account's NTLM hash. The attacker receives this encrypted blob and can attempt to crack it offline.

Key Details for the Exam: - The TGS ticket is encrypted with the service account's NTLM hash, not the user's hash. - The attack does not require special privileges; any authenticated domain user can request TGS for any SPN. - The encryption type used in the ticket matters: RC4 (type 23) is easier to crack than AES (type 18). The exam may ask which encryption type is more vulnerable. - Tools: Rubeus, Impacket, PowerView, Mimikatz (for extraction).

Key Details: - Only works for users with the 'Do not require Kerberos pre-authentication' flag enabled. - No authentication required; the attacker can be unauthenticated (anonymous) or authenticated. - The encrypted data uses the user's password hash, not a service account hash. - Tool: Rubeus asreproast, Impacket GetNPUsers.

| Feature | Kerberoasting | AS-REP Roasting | |---------|---------------|-----------------| | Target | Service accounts with SPNs | Users with pre-auth disabled | | Requires authentication? | Yes (valid TGT) | No (can be anonymous) | | Hash type | Service account NTLM | User NTLM | | Privilege required | Low (domain user) | None (anonymous) | | Common tool | Rubeus kerberoast, GetUserSPNs.py | Rubeus asreproast, GetNPUsers.py |

Kerberos supports multiple encryption types for tickets: - RC4-HMAC (type 23): Uses the NTLM hash directly. This is the easiest to crack because the hash is unsalted and can be fed directly to hashcat mode 13100 (for TGS) or 18200 (for AS-REP). - AES128-CTS-HMAC-SHA1 (type 17) and AES256-CTS-HMAC-SHA1 (type 18): More computationally expensive to crack. However, tools like hashcat support these modes (19700 for Kerberoast AES, 19600 for AS-REP AES). - DES (type 1): Obsolete but still possible; easily crackable.

The exam may ask which encryption type is most vulnerable to offline cracking. The answer is RC4 because it uses the unsalted NTLM hash, which can be cracked quickly with tools like hashcat using mode 13100.

Rubeus (Windows): - Kerberoast: Rubeus kerberoast /outfile:hashes.txt - AS-REP roast: Rubeus asreproast /outfile:asrephashes.txt

Impacket (Linux): - Kerberoast: GetUserSPNs.py domain/user:password -dc-ip 10.0.0.1 -request - AS-REP roast: GetNPUsers.py domain/ -dc-ip 10.0.0.1 -request -format hashcat

PowerView: - Find SPNs: Get-NetUser -SPN - Find users with pre-auth disabled: Get-NetUser -PreauthNotRequired

The PT0-002 exam expects you to:

This deep understanding of the protocol mechanics will help you answer scenario-based questions correctly and avoid common pitfalls.

In enterprise environments, Kerberoasting is a common post-exploitation technique used by red teams and attackers after gaining initial foothold. Consider a scenario where a penetration tester has compromised a workstation as a low-privilege domain user. Using PowerView, they enumerate all SPNs and find a SQL Server service account with a weak password. They request a TGS ticket for the SQL service, extract the RC4-encrypted hash, and crack it offline to reveal the password 'SQL@dmin2020'. With this password, they can log into the SQL server and access sensitive databases. This attack is particularly dangerous because the service account often has elevated privileges.

AS-REP roasting is less common but equally dangerous when misconfigurations exist. For example, a help desk might disable pre-authentication for a user account to troubleshoot authentication issues, then forget to re-enable it. An attacker scanning for such accounts finds one and, without any credentials, obtains the user's hash. If the user's password is weak, the attacker gains access to that user's resources. In one engagement, a tester found a domain admin account with pre-auth disabled due to legacy application requirements. The AS-REP hash was cracked to reveal 'P@ssw0rd', granting full domain compromise.

Mitigation in production involves several layers. First, enforce strong password policies for service accounts (e.g., 25+ characters). Second, use Group Managed Service Accounts (gMSAs) which have 120-character random passwords that rotate automatically. Third, disable RC4 encryption in the domain if possible, forcing AES encryption that is harder to crack. Fourth, monitor for Event ID 4769 (Kerberos service ticket request) with anomalous patterns, such as a user requesting tickets for many different SPNs in a short time. Finally, regularly audit for accounts with pre-authentication disabled and ensure they are justified.

Performance considerations: Requesting many TGS tickets can cause load on domain controllers, but typically not enough to alert. However, in large environments with thousands of SPNs, the enumeration step can be noisy. Tools like Rubeus have options to throttle requests. The cracking step is computationally intensive; using GPU acceleration with hashcat can crack RC4 hashes at billions of attempts per second. For AES hashes, cracking is significantly slower, making strong passwords effective.

Misconfiguration pitfalls include: leaving RC4 enabled for compatibility, using weak passwords for service accounts (e.g., same as the machine name), and not rotating passwords regularly. Additionally, some administrators mistakenly believe that disabling pre-authentication is harmless because the user still needs to know the password to use the account. However, AS-REP roasting proves that the hash can be obtained without knowledge of the password, making offline cracking possible.