Active Directory Account Passwords Cracking using AS-REP Roasting

One of the most common tactics and techniques that an attacker would like to launch into an organization to gain internal access and escalate their privileges is by dumping the credential hashes and cracking them offline. AS-REP roasting is an attack technique that works perfectly well against user accounts with specific metadata properties. In this post I would like to cover how attackers perform AS-REP Roasting using a tool called?Rubeus and how we can build detection engineering correlation rules to defend against these attacks. While the SOC rules can help us detect and prevent individual attack patterns but to have comprehensive protection against such attack techniques organizations needs to thing strategically in the direction of defendable security architecture.

?

What is AS-REP Roasting?

Let us first try to understand a little bit about the AS-REP Roasting attack technique. AS-REP Roasting is a technique that enables adversaries to steal the password hashes of user accounts that have Kerberos pre-authentication disabled, which they can then attempt to crack offline. Hence as you can understand the attack is focussing into user accounts that have Kerberos pre-authentication disabled.

As part of the Kerberos authentication process in Active Directory, there is an initial request to authenticate without a password. This is an artifact left over from Kerberos versions earlier than Kerberos 5. In these earlier versions, Kerberos would allow authentication without a password. Now, in Kerberos 5, a password is required, which is called “Pre-Authentication.” When looking at the Kerberos exchanges during log-on, you will initially see an AS-REQ (Authentication Server Request) followed by a Kerberos error, which will state that pre-auth is required. This is where the attack is initiated. But it does require that the user account setting is toggled to negate the need for Kerberos Pre-Authentication.?Although this is a known attack, which is why Microsoft added the preauthorization control in Kerberos 5, the setting might still be misconfigured for some users in Active Directory.

When pre-authentication is enabled, a user who needs access to a resource begins the Kerberos authentication process by sending an Authentication Server Request (AS-REQ) message to the domain controller (DC). The timestamp on that message is encrypted with the hash of the user’s password. If the DC can decrypt that timestamp using its own record of the user’s password hash, it will send back an Authentication Server Response (AS-REP) message that contains a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC), which is used for future access requests by the user.

However, if pre-authentication is disabled, an attacker could request authentication data for any user and the DC would return an AS-REP message. Since part of that message is encrypted using the user’s password, the attacker can then attempt to brute-force the user’s password offline. While pre-authentication is enabled by default in?Active Directory it can be disabled for a user account using the setting shown below:

Ideally, we don’t want user accounts to bypass this Pre-Authentication, so it’s important to verify any exceptions against a specific user which can lead to attackers getting the initial foothold into our Active Directory environment. You have many options, but the main two are:

1) PowerShell

Get-DomainUser -PreauthNotRequired

2) LDAP (Saved Query)

(&(&(&(objectCategory=person) (objectClass=user) (userAccountControl:1.2.840.113556.1.4.803: =4194304))))

Executing AS-REP Roasting using Rubeus

Rubeus is an open-source tool that can help us perform AS-REP Roasting to see how this attack would work in your environment.?Open Kali Linux, invoke Rubeus and run the following command;

Rubeus.exe asreproast

The above command will find all user accounts within the AD that do not require preauthentication and extract their AS-REP hashes for offline cracking, as shown below:

The next step is to extract this data in a format that can be cracked offline by?Hashcat . This command will output the AS-REP hash information to a text file:

Rubeus.exe asreproast /format:hashcat /outfile:C:\Temp\hashdump.txt

Then we use Hashcat to crack the hashes that were found from the above step. We need to specify the correct hash-mode code for AS-REP hashes, our hash file, and a dictionary of possible word listing to use and perform the brute-force password guessing.

hashcat64.exe -m 18200 c:\Temp\hashdump.txt mypasswordlist.dict

How to detect and prevent AS-REP Roasting Attacks

As we have observed AS-REP Roasting provides an innovative way to steal the password hashes of user accounts that do not require preauthentication, with no special privileges required. The good news is that, there are several effective ways for defending against these attacks.

Identify Accounts that Do not Require Preauthentication

The best way to block AS-REP Roasting attacks is to find all user accounts that are set to not require Kerberos preauthentication and then enable this setting. The follow script is another way to detect the existence of such vulnerable accounts within the Active Directory environment.

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Password Strength

Another strong protection against AS-REP Roasting attacks is to configure an AD root password policy that is complex enough to crack even if an adversary manages to steal the hash dump.?We should implement fine grained password policy within AD and have very complex password policy requirement for admin and service accounts. Additionally we should also implement a good Privileged Access Management (PAM) solution to auto rotate these privileged account password every 24 hours.

Active Directory Privileges

It’s also important to identify the user accounts that have the permissions to modify the setting that controls whether preauthentication is enabled. This will enable us to detect the privileged users that could disable the settings momentarily to obtain the AS-REP hash and then enable it again. This query will list all access rights over user accounts that do not require preauthentication:

(Get-ACL "AD:\$((Get-ADUser -Filter 'useraccountcontrol -band 4194304').distinguishedname)").access

Detection Engineering

Finally, you should also monitor for disabling of Kerberos preauthentication.?Windows Event?ID 4738 ?logs changes to this user setting. Alternatively, we can also monitor the windows event ID?5136

NB: Thanks to many security researchers who have written articles on this topic and I have only tried to compile a read reckoner which organizations can use to built effective detection capabilities.