AS-REP Roasting Attack Explained - MITRE ATT&CK T1558.004

Sıla Özeren  By Sıla Özeren  •  January 18, 2024

 

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

AS-REP Roasting Attack Explained - MITRE ATT&CK T1558.004

In the MITRE ATT&CK Framework, the AS-REP Roasting attack is categorized as T1558.004 under the 'Steal or Forge Kerberos Tickets' attack technique. It exploits a vulnerability in Kerberos when the 'Do not require Kerberos preauthentication' setting is enabled. This vulnerability allows adversaries to extract user hashes, enabling them to decrypt passwords offline. This attack poses a significant threat to IT networks worldwide, as it can provide unauthorized access to domain resources.

In this article, we will delve into how tools like Rubeus exploit this vulnerability, examine the potential impact on enterprises, and discuss recommended strategies for detection and mitigation.

What Is AS-REP Roasting Attack?

The AS-REP Roasting attack is a technique targeting Kerberos, a network authentication protocol used in various IT infrastructures. This attack focuses on user accounts that have disabled the Kerberos preauthentication feature.

In a standard Kerberos authentication flow, when pre-authentication is active, the user initiates the process by transmitting an Authentication Server Request (AS-REQ) to the domain controller (DC). This message includes a timestamp encrypted using the hash of the user's password. The DC, upon receipt, tries to decrypt the timestamp using its stored version of the user's password hash. If successful, the DC acknowledges the authentication by replying with an Authentication Server Response (AS-REP), which houses a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC). This TGT is pivotal for the user's subsequent access requests within the domain.

However, if pre-authentication is disabled, the DC prematurely sends an AS-REP upon receiving an AS-REQ. This response includes sensitive data, with segments encrypted using the user's password hash. This vulnerability allows attackers to extract this encrypted data without initially providing any valid authentication details. Once obtained, attackers can perform offline brute-force or dictionary attacks to obtain the user's password.

In essence, the AS-REP Roasting technique exploits the gap in the Kerberos authentication mechanism that arises when pre-authentication is deactivated, allowing adversaries to gain unauthorized access to critical domain assets.

Tools and Techniques to Perform an AS-REP Roasting Attack 

Adversaries can use various third party tools to perform an AS-REP Roasting Attack, such as Rubeus and Empire, Kerbrute, Impacket.

For the AS-REP Roasting Attack to be successful, the adversary targets user accounts that have the “Do not require Kerberos preauthentication” property enabled. When this property is set, the Key Distribution Center (KDC) will provide an AS-REP response without needing the initial preauthentication step, thereby exposing the accounts to potential offline brute-force attacks.

Figure 1: Account Options That Do not Require Kerberos Pre-Authentication [1]

Tool: Rubeus

In order to identify all user accounts that have disabled the pre-authentication feature and extract their AS-REP hashes for offline decryption, an adversary would execute the command:

Rubeus.exe asreproast

To enhance the efficiency of the attack and make subsequent decryption more streamlined, the attacker can employ specific parameters. This will format the extracted data in a manner that's compatible for offline decryption tools like Hashcat:

Rubeus.exe asreproast /format:hashcat /outfile:C:\Temp\hashes.txt

It's important to note that the result – the extracted hash credentials – will be saved to a file named "hashes.txt" located in the Temp directory.

Following this extraction, the adversary can then utilize Hashcat. They'll specify the unique hash-mode code associated with AS-REP hashes (which is 18200), provide the path to the hash file, and designate a dictionary for brute-force password attempts:

hashcat64.exe -m 18200 c:\Temp\hashes.txt dictionary.dict

To gain a better understanding of the AS-REP Roasting attack and how it is performed by using other tools, you can visit here [2].

Detection Methods for the AS-REP Roasting Attack

Detection of AS-REP Roasting attacks is crucial in order to mitigate the risk of password theft. One way to detect such attacks is to monitor for changes to the setting that controls whether Kerberos preauthentication is enabled. 

Event ID 4738 - A user account was changed.

  • Key Description Fields:  Security ID, Account Name, Account Domain, Logon ID,  Security ID, Account Name 

For instance, during this kind of an attack, the Event ID 4738 is generated. This event indicates a Kerberos authentication service ticket request and will contain parameters such as the Ticket Encryption Type (0x17), Ticket Options (0x40800010), and Service Name (krbtgt). If these parameters are found in the event logs, it may indicate that an AS-REP Roasting attack is taking place, as this event is generated during the manipulation of domain objects by the attacker [3].

Figure 2: The Event ID 4738 [3]

Event ID 5136 - A directory service object was modified.

  • Key Description Fields: Security ID, Account Name, Account Domain, Logon ID, DN, GUID, Class, LDAP Display Name

Another option is to monitor Event ID 5136, which provides information about changes made to user accounts within a Windows environment. By analyzing the logs from this event, it is possible to identify any user accounts that have had the setting for Kerberos preauthentication changed.

Mitigation Techniques for the AS-REP Roasting Attack

There are a couple of techniques that you can perform to mitigate an AS-REP attack.

Mitigation Technique 1: Locating All User Accounts

The most effective way to prevent AS-REP Roasting attacks is to locate all user accounts that are configured without requiring Kerberos pre-authentication and enable this setting. This can be done by using the following script [4]: 

Get-ADUser -Filter * -Properties DoesNotRequirePreAuth | Where-Object {$_.DoesNotRequirePreAuth -eq $True -and $_.Enabled -eq $True} | Select-Object 'SamAccountName','DoesNotRequirePreAuth' | Sort-Object 'SamAccountName'

The script uses the Get-ADUser cmdlet with a filter to find all user accounts, and it specifies the 'DoesNotRequirePreAuth' property in the 'Properties' parameter to retrieve the pre-authentication information for each account.

The output of the Get-ADUser cmdlet is then piped to the Where-Object cmdlet, which filters the results to only include accounts where 'DoesNotRequirePreAuth' is equal to $True and 'Enabled' is equal to $True. The filtered results are then passed to the Select-Object cmdlet, which selects the 'SamAccountName' and 'DoesNotRequirePreAuth' properties for each account. Finally, the selected results are passed to the Sort-Object cmdlet, which sorts the results by the 'SamAccountName' property.

By enabling Kerberos pre-authentication for these user accounts, it ensures that the domain controller can decrypt the timestamp encrypted with the hash of the user's password. This makes it much more difficult for an attacker to gain access to the user's password hash and carry out an offline cracking attack.

Mitigation Technique 2: Implementing a Strong Password Policy

To guard against AS-REP Roasting attacks, it is advised to implement strong password policies, especially for privileged accounts, that mandate the use of lengthy and complicated passwords. This makes it challenging for an attacker to crack the passwords, even if they are successfully stolen. Implementing fine-grained password policies is an effective first step towards ensuring password security.

Mitigation Technique 3: Finding Out the Active Directory Privileges

It's important to identify who has the authority to change the preauthentication setting, as they could temporarily disable it to steal the AS-REP hash and then re-enable it. The following query will show all individuals with access rights to accounts without preauthentication [5]:

(Get-ACL "AD:\$((Get-ADUser -Filter 'useraccountcontrol -band 4194304').distinguishedname)").access

The code retrieves the access control list (ACL) of the security descriptor associated with a specific user object in Active Directory (AD).

It first filters all user accounts in AD where the "useraccountcontrol" value has the 4194304 decimal bit set (which corresponds to the flag UF_DONT_REQUIRE_PREAUTH in the userAccountControl attribute) and retrieves their distinguished name. Then it retrieves the ACL of the security descriptor of the first user account in the result set using the distinguished name and stores it in a variable. The last line of code retrieves the access property of the ACL and displays it, which represents the access rights that are granted or denied to the security principals specified in the ACL for the target user object.

References

[1] “AS-REP Roasting.” Available: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat

[2] “AS-REP Roasting.” Available: https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/steal-or-forge-kerberos-tickets/as-rep-roasting

[3] A. Berlin, “How To Detect AS-REP Roasting With,” Blumira, Dec. 07, 2021. Available: https://www.blumira.com/how-to-detect-as-rep-roasting/

[4] “AS-REP Roasting.” Available: https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/steal-or-forge-kerberos-tickets/as-rep-roasting

[5] J. Dibley, “Cracking Active Directory Passwords with AS-REP Roasting”, Available: https://blog.netwrix.com/2022/11/03/cracking_ad_password_with_as_rep_roasting/

 
#Article #Active Directory

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD