ASREP Roasting & Pre-Authentication in AD Environments

  • Home
  • Blog
  • ASREP Roasting & Pre-Authentication in AD Environments
ASREP Roasting & Pre-Authentication in AD Environments

Any Systems Administrator knows that the task of securing an Active Directory environment is a never-ending task.  Since the first Windows AD was released with Server 2000, Microsoft has added countless features.  Many of these features are created with connectivity in mind, and some are there to bypass security features to allow accessibility with incompatible or legacy applications.  With constantly changing security requirements, keeping up with current threats while managing an already sprawling environment is a daunting endeavor. 

Pre-Authentication and ASREP-Roasting

Pre-Authentication is a Kerberos feature that prevents password guessing attacks and is enabled by default.    When Pre-Authentication is enabled, the authentication service will identify the client and encrypt a timestamp with that user’s hash. When the key distribution center (KDC) verifies the time is valid using the user’s hash to decrypt the timestamp, the KDC validates it. 

Pre-Authentication Enabled – No Check Mark
Pre-Authentication Disabled – Check Mark

Attackers can send a junk request for authentication, and the KDC will return ticket granting tickets for users that have Pre-Authentication disabled.  The attacker doesn’t have to be joined to the domain and can use PowerView to enumerate users with Pre-Authentication disabled.  An attacker can then use tools such Rubeus or Impacket to request the ticket.  Below is an example of this using PowerView and Rubeus.

PowerView “get-netuser -preauthnotrequired -verbose”
Using Rubeus asreproast to obtain a ticket for the ASREP roastable User

The AS-REP hash can then be cracked offline using a tool such as Hashcat or Hydra. 

Hash cracked using Hashcat

Once the hash is cracked and password obtained, the attacker has access to that user’s account in the domain.

What Should We Do?

We still occasionally find users with Pre-Authentication disabled.  This is oftentimes due to a user not being deprovisioned, or the configuration not being re-enabled when no longer needed.  Auditing user account settings manually or with PowerView is a good first step in ensuring that Pre-Authentication is enabled.  If a user does need Pre-Authentication disabled for some reason, then password strength is vital.  A complex password with capital and lower-case letters, numbers, and special characters is the best defense against an attacker with Pre-Authentication disabled.

How TCM Security Can Help

Our penetration testers check for disabled Pre-Authentication on every internal assessment and will test password strength against any user discovered.  We will work with your IT team to discuss the vulnerability, the importance of remediation, and how to do so.  For more information, contact us.

References

LDAP Wiki
Microsoft