Cyber Security Interview Prep. Q10: "ASREP Roasting"

Category: Red Team

Question: What is ASREP Roasting? How does it work?

Kerberos uses pre-authentication. This is where the user's password is used to encrypt a timestamp in order to make it hard for an attacker to request a TGT for a user that may have requested one in the past (i.e. the real user did ask for it at some point in the past, and the attacker is now trying a replay attack).

If this pre-authentication is disabled for any users, an attacker can request a TGT for those users. In such a situation, the Kerberos server will provide you with a TGT encrypted with that user's password, which one can crack offline to obtain the cleartext password.

Attackers can easily check for accounts that have pre-authentication disabled (e.g. using a tool called Rubeus), so if an account is vulnerable, this can be quite an easy way in.

Remediation and Countermeasures

User accounts on Active Directory (AD) can have pre-authentication enabled/disabled from the "Account" tab, where there will be a check-box titled "Do not require preauthentication".

Firstly, Audit a company's AD environment to ensure this box isn't checked for users. This is a good first line of defence to ensure no TGT is obtained by an attacker.

Secondly, if a TGT is obtained by an attacker, the only way they can extract a password from this is using a cracking tool. This becomes almost impossible though if the password used is long and complex and is changed frequently. Therefore a good password policy is crucial as a second line of defence.

Thirdly, though this is is not restricted to this particular attack, a policy of Least Privilege should be enforced to make sure that if an account is compromised or an account hash obtained, the account doesn't have unnecessary privileges that allow an attacker to use password spraying or pass-the-hash methods to successfully compromise other machines on the network.

Further Reading: What is AS-REP Roasting attack, really? (thehackernews.com)