AD Privilege Escalation: AS-REP Roasting
overview
Description
AS-REP Roasting is a technique used to exploit a weakness in the Kerberos authentication protocol. Kerberos is commonly used in Windows Active Directory environments for authentication purposes. AS-REP Roasting specifically targets a vulnerability in the way Kerberos handles authentication requests.
In the Kerberos protocol, when a user wants to authenticate to a service, they send an Authentication Service Request (AS-REQ) to the Key Distribution Center (KDC). The KDC then responds with an Authentication Service Reply (AS-REP), which includes a ticket-granting ticket (TGT). The TGT is encrypted using the user's password hash.
AS-REP Roasting takes advantage of the fact that some user accounts in Active Directory may have the "Do not require Kerberos preauthentication" option enabled. This option allows the AS-REP to be requested without the need for the user's password. An attacker can identify these vulnerable accounts by querying the Active Directory for accounts with this option enabled.
Reference: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-JohnTheRipper
Tasks
Lab Environment
In this lab environment, GUI access to a Domain user called Research/Student on a Windows Server 2012 machine, which serves as your workstation. The workstation is vulnerable to AS-REP Roasting attack.
Your task is to identify accounts with the "Do not require Kerberos preauthentication" option enabled in Active Directory. By exploiting this vulnerability, you aim to capture AS-REP responses, extract password hashes, and crack the hash of another domain user in the Active Directory domain.
Objective: Identify accounts vulnerable to AS-REP Roasting and gain access to another domain user within Active Directory.
Below are the tasks that you need to perform:
Task 1: Identify vulnerable account with enabled "Do not require preauthentication" option.
Task 2: Exploit AS-REP Roasting to extract password hashes.
Task 3: Crack hashes for plaintext passwords.
Tools
The best tools for this lab are:
Rubeus
JohnTheRipper
PowerView
Active Directory Module
Solution
Step 1: Open the lab link to access the following:
Workstation
Task 1: Identify vulnerable account with enabled "Do not require preauthentication" option.
We will use the PowerView script from PowerSploit or the AD module to identify vulnerable accounts by examining if the "Do not require preauthentication" option is enabled.
What is Powerview?
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various Windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
Reference: https://powersploit.readthedocs.io/en/latest/Recon/#powerview
It seems like we have a directory called C:\Tools that contains the necessary tools for enumeration and exploitation.
Step 1: Change the directory to C:\Tools by running the following command.
Command:
The directory changed to C:\Tools.
Step 2: Enable execution policy bypass and import the PowerView module.
Command:
This command starts a new PowerShell session with the execution policy bypassed, allowing you to run scripts that may otherwise be blocked.
The dot is followed by a space and the script's path (.\PowerView.ps1) executes the script within the current PowerShell session. Ensure that the PowerView.ps1 script is located in the current directory (C:\Tools).
Step 3: Determine if the "Do not require preauthentication" option is enabled.
The "DoesNotRequirePreAuth" property of a user account determines whether the "Do not require preauthentication" option is enabled. This option can be exploited through AS-REP Roasting to extract password hashes.
To identify user accounts with this option enabled, you can use the following command in PowerView:
Command:
This command lists user accounts where the "DoesNotRequirePreAuth" property is set to true, indicating that the "Do not require preauthentication" option is enabled for those accounts. These accounts are potential targets for AS-REP Roasting and further exploitation.
Task 2: Exploit AS-REP Roasting to extract password hashes.
Step 4: Retrieve AS-REP Hash.
Now, we will use the Rubeus.exe tool to retrieve the AS-REP hash.
Command:
Running the above command will initiate the AS-REP Roasting attack using Rubeus.exe. The tool will attempt to request and retrieve AS-REP responses containing the TGTs for accounts vulnerable to AS-REP Roasting.
By executing this command, we exploit the vulnerability to obtain the AS-REP hashes that can be further cracked or used for privilege escalation.
Task 3: Crack hashes for plaintext passwords.
To crack the AS-REP hash, we will use JohnTheRipper with a wordlist.
Step 5: Crack the AS-REP Hash using JohnTheRipper.
First, unzip the JohnTheRipper directory.
Go to C:\Tools using explorer and extract the JohnTheRipper files.
Now, we will run it to crack the hash for user Johnny.
Command:
Here are the details of the cracking process:
The password is 123456.
So based on the above screenshot we can conclude that the AS-REP hash has been successfully cracked using JohnTheRipper.
Conclusion
In this lab, we delved into the technique of AS-REP Roasting to exploit a vulnerability in the Kerberos authentication protocol within an Active Directory environment. By identifying user accounts with the "Do not require preauthentication" option enabled, we were able to leverage the vulnerability to extract password hashes and crack the hash using JohnTheRipper.
So, organizations need to implement strong security measures, such as disabling the "Do not require preauthentication" option for accounts that do not require it and regularly monitoring and auditing Active Directory environments for potential weaknesses.
References:
Last updated