AS-REP Roasting (Internal/External)
AS-REP Roasting
If Kerberos pre-authentication is disabled on a user account in Active Directory, this will enable an attacker to forge a request for a TGT as this specific user. This is because, pre-authentication -- when enabled -- requires the user to hash the timestamp using said user's password in the initial TGT request. With this option disabled -- and no hashing of the timestamp required in the TGT -- an attacker can spoof the request as the target user.
What's the Danger?
If pre-authentication is disabled, the TGT returned by Kerberos is hashed using the target user's password. If a weak cipher is being used or if the user has set a particularly weak password, an attacker could easily crack the hash and reveal the user's plaintext password.
GetNPUsers.py -usersfile users.txt -no-pass -dc-ip dc-ip-here domain.tld/
$krb5asrep$23$user.name@DOMAIN.TLD:<removed-by-author>$<removed-by-author># Crack the hash
john --wordlist=rockyou.txt hash.txtIf successfully cracked, this plaintext password could be leveraged to enumerate additional information about the domain; or used in additional attacks depending on the user privilege level.