Tips for an Information Security Analyst/Pentester Career - Ep. 96 - AD foothold attacks: AS-REP-ROAST

My long series of posts has so far mostly focused on perimeter engagements, for obvious reasons.

One normally starts learning with them, as no elaborate configurations are required to access the in-scope hosts. Nmap and a browser are mostly enough to get started.

So far I left Active Directory topics out because they're much harder to demo, as they require a domain including machines vulnerable to specific attacks.

There's a lot of paid solutions available to solve this dilemma but not a lot of free ones. I don't personally like to commit to a service with a subscription when I might not have time to fully enjoy it, so I created a Windows DC in VMware Fusion and a Kali attacking machine having an adapter configured on the same subnet.

We'll be moving from an assume breach approach, so we're already in the internal network, but we don't have valid credentials to the Windows domain.

To solve this problem, we can run multiple attack scenarios that can give us a foothold within AD. Here we'll focus on a very common attack technique called AS-REP Roasting.

Image source: https://akijosberryblog.files.wordpress.com/2018/01/kerb_auth.png

 Assumptions

1. We were given access to the internal network and a valid IP for it. This is how internal pentests are normally conducted.
2. We discovered the DC IP address.
   
3. We discovered multiple valid domain users but not a valid password, so our attack surface is very limited until we can find a valid set of credentials.

The attack scenario is based on a misconfiguration where one or multiple domain accounts are configured to not require Kerberos pre-authentication.

 

The Kerberos authentication process starts when a user sends an Authentication Server Request (AS-REQ) message to the domain controller (DC) to access a resource. The timestamp on that message is encrypted with the hash of the user’s password. If the DC can decrypt that timestamp using its own record of the user’s password hash, it will send back an Authentication Server Response (AS-REP) message that contains a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC), which is used for future access requests by the user.  

If pre-authentication is disabled, an attacker could request authentication data for any user and the DC would return an AS-REP message. Since part of that message is encrypted using the user’s password, the attacker can then attempt to brute-force the user’s password offline.

This attack can often provide a foothold to AD, if any accounts exist that are specifically configured with pre-authentication disabled and weak passwords.

Check the embedded video for more details.